A Fuzzy-Based Holistic Approach for Supply Chain Risk Assessment and Aggregation Considering Risk Interdependencies

Abstract

Supply chain risk management requires dealing with uncertainty, interrelations, and subjectivity inherent in the risk assessment process. This paper proposes a holistic approach for risk management that considers the impact on multiple performance objectives, the relation between risk agents, and the risk event interdependencies. An aggregated risk score is proposed to capture the cascading effects of common risk triggers and quantify the aggregated score by risk agent and objective. The approach also uses fuzzy logic to allow for the treatment of vague and ambiguity data as input parameters to the model from different domains and scales, according to knowledge and criteria nature. The integration of the balanced scorecard tool improves the analysis and prioritization of mitigation strategies in decision-making, both by risk agent and by strategic objective. A case study of a telecommunication company is presented to illustrate the applicability of the proposed approach.

1. Introduction

Management is a very important factor for business success and is defined as the process of measuring and analyzing what happened in order to make decisions/actions. For this, tools are needed that help to know, understand, and orient the actions towards the foreseen objectives. That is to say, to manage is to pilot the company and align all the resources and actions towards the strategy marked by the direction [1].

The management of risks in operations and supply chains (SCs) has emerged as one of the main research topics in the recent operations and supply chain management (SCM) literature [2,3,4]. SCs are increasingly prone to complexity and uncertainty. Factors such as reduction of supply base, globalization, shortened product life cycles, and capacity limitation of key components increase SC risks [5].

According to Moeinzadeh and Hajfathaliha [6], supply chain risk management (SCRM) can be viewed as a strategic management activity in firms. Organizational efficiency and performance are enhanced when a strategy to reduce uncertainty takes into account ‘‘context’’ and ‘‘environmental realities’’. In the case of SCRM, context refers to the sources of risk, magnitude of risk and its relationship to business objectives, and threat of disruption in SCs. Environmental realities include the degree of exposure to adverse events, scope of extended SCs, supplier management practices, etc. Therefore, the essence of SCRM is to make decisions that optimally align organizational processes and decisions to exploit opportunities while simultaneously minimizing risk [6].

The definition of the term “risk” strongly depends on the context and field of research involved. Many authors have defined risk in SC context [7,8,9,10,11,12,13]. In all definitions, there are two recurring elements: uncertainty and impacts. However, there are other factors that must be considered in terms of events including: What drives/causes the risk; where the risk is; and what the risk is associated with. Moreover, it is worth highlighting two aspects connected to the SCRM: (1) Risk exists at various levels, inside the company and at the network level; (2) risk evaluation is inherently subjective, because each analyst has his or her own concept of what constitutes a risk and the nature of the upstream and downstream relationships.

According to Aqlan and Mustafa [14], to manage SC risks, the risk can be considered in the form of an event so that it can be modelled, analyzed, mitigated, and monitored. Risk event is caused by a set of risk factors or agents that can lead to different impacts. These events are often interconnected, leading to the exacerbation of some risks when implementing mitigation strategies for other risks. Many risk management (RM) plans may fail because they do not consider interconnections among risks and are not comprehensive [15]. Several literature reviews [9,16,17] reveal the existing SCRM processes/frameworks have limited focus on the interdependency modelling of risks. According to Ho et al. [16]: “Investigating the joint impact of such risks can lead to better management of supply chains than treating each risk type in isolation….there is lack of research measuring the correlations between risk factors and corresponding risk types, or the probability of occurrence of particular types associated with their factors’’ [6] (p. 5060).

Aqlan and Lam [15] and Lee et al. [18] consider that modelling approaches for SC risks can be divided into: (1) Qualitative models, (2) quantitative models, and (3) hybrid models that incorporate qualitative and quantitative techniques. Qualitative techniques are mostly used for risk identification and risk analysis steps. According to Ho et al. [16], failure mode and effects analysis (FMEA) is one of the most widespread methods for risk analysis; however, it presents limitations in the calculation of the risk priority number (RPN), as have been discussed in several investigations [19,20,21,22,23]. Some of these limitations include:

• Different combinations of probability and severity of consequences may produce exactly the same value of RPN, but their hidden risk implications may be totally different.
• Interdependencies among various failure modes and effects are not taken into account.
• The relative importance of risk factors is not taken into consideration.
• The risk factors are difficult to be precisely evaluated.

In turn, due to the highly subjective nature and the lack of information, it is usually difficult to precisely measure risk parameters. A reasonable and suitable way to express these parameters is to use qualitative linguistic variables, particularly during experts’ judgments to estimate the occurrence likelihood (for example: very low, low, medium, high, and very high) and to assess the consequence severity (variables as slight, minor, moderate, critical, and catastrophic). In that sense, some studies have focused on improving the methods by reducing the uncertainty and subjectivity in information utilizing fuzzy sets, evidence theory, Bayesian approach, and other techniques. This has been one of the main drivers for developing hybrid models. Fuzzy theory has proven to be effective and efficient in handling these types of uncertainties [14,22,24,25,26,27].

Several RM frameworks are presented in the literature and a consensus exist that the main stages of SCRM involve four sequential stages: risk identification, risk assessment, risk treatment, and risk monitoring [4,15,28]. According to Fahimnia et al. [29], even though several studies in the SC literature have discussed RM, a limited number of studies discussed the entire management cycle of risks. Most of the studied researches are limited to some (mostly two) processes in the SCRM cycle, such as risk identification and assessment [30], risk assessment and mitigation [31], and risk identification and mitigation [32,33].

According to Ho et al. [16], the risk monitoring process has received less attention than the other processes. It is important to develop an early alert monitoring system with adaptive risk indicators for different SC types. Hence, more attention should be given to pre-SCRM and post-SCRM [16]. However, only a few number of research studies [34,35] consider in their approaches a previous analysis of SC. For example, Gaudenzi and Borghesi [36] considered the relationship of risks with the strategic objectives of the organization, but did not include the possibility of prior process improvement. The main limitations of previous studies are (1) focus on limited stages of the RM process, and (2) ignoring SC process analysis and their alignment with strategic management as a holistic system. Gaudenzi and Borghesi [36] and Pujawan and Geraldin [21] suggest that SCRM can be considered as a process that supports the achievement of SC management strategic objectives. In addition, Garvey et al. [7] and Qazi et al. [28] affirm that many existing measurement models only result in local optimally and underestimate the effects of triggering risks due to the causal structure within the supply network. In the reviewed literature, several researches discuss the importance of investigating the joint impact of risk events [7,16,17,37].

In relation to the above, Qazi et al. [27] revealed: “Although a number of quantitative tools and techniques have already been developed for managing supply chain risks, there is a limited focus on introducing holistic frameworks that not only integrate all stages of the risk management process but also capture the cascading effects of common risk triggers. Also, existing frameworks generally focus on optimising a single objective (performance measure) without exclusively modelling the trade-off between conflicting and interdependent objectives” [27] (p. 37). In that sense, an integrated analysis leads to effective mitigation strategies and the integration with the strategy of the organization is extremely important. This highlights the need to reinforce SCRM by considering the assessment and management of the entire cycle of SCRM linked to strategic management (multiple objectives) as well as the aggregation of risk impacts and epistemic uncertainty in order to obtain a more accurate risk assessment. To responding to these research needs, the following research goals will be addressed in this study:

• To assess SC risk level by considering the impact on multiple performance objectives and interrelationships between risk events.
• To develop a mathematical model to assess the risk score by considering the vague and imprecise nature of experts’ judgements with different domains and scales according to knowledge and nature of criteria.
• To integrate SCRM into business decision making through a holistic framework that considers RM stages and process relations.

This research develops a framework for proactive SCRM by integrating all RM stages with risk modelling and aggregation. This system captures the interdependence of risks in the strategic management at all levels of the SC deployment. To show the viability of proposed approach, we present a case of study in a telecommunication company.

2. Materials and Methods

The proposed framework for SCRM is based on a cyclic process supported by qualitative and quantitative methods in an aggregated form (Figure 1). This allows a step-by-step system for identifying and controlling risks systematically analyses. For a better understanding and application of this model, a procedure is proposed as shown in Figure 2.

2.1. Prepare the Study

The first step is to select the team and organize the project. The function of this team is to provide the necessary information for the development of the study, as well as to identify, configure, model, evaluate, decide and make the necessary analyses as a result of the application of the procedure. Since the quality of the team decisively influences the accuracy and reliability of the results, it is important that these people are motivated to participate. The commitment and support of the organization’s executive management must also be guaranteed. In addition, a member should be appointed at this point as the project coordinator.

2.2. Identify Processes and Activities

To achieve an adequate strategic deployment and effective RM, it is necessary to achieve a mastery of the logistics process that is managed in the organization under study as well as the analysis of the activities and flows that compose it.

In the specific case of SCs, we propose the use of the supply chain reference model (SCOR). According to Moazzam et al. [38], the SCOR model has been widely applied and easily understood in all kinds of sectors. It must be considered based on its basic management processes and key indicators and attributes.

In this sense, SC should be represented using the process categories according to their current state (AS-IS), both geographically and by wire diagrams, to then establish the design specifications of their new SC and power reconfigure it to the desired state (TO-BE). In this step, the operations strategy should be refined, and the best practices applicable to each defined element should be identified, as well as the system (hardware and software) capabilities required to support these practices.

2.3. Identify Strategic Objectives (l)

Within organizations, the behavior of some functional areas may be antagonistic to achieve objectives. It is necessary to make a deployment with “cascade effect”, from the business scope to the different strategic business units or processes, through functional strategies. For this purpose, we will use the balanced scorecard (BSC), a tool that revolutionized in the 1990s [39] to provide a way of measuring the performance of companies considering financial and non-financial indicators and linking these indicators to short-term objectives and long-term strategy [40]. This is achieved through the correct sequencing and integration of four processes: Convert/translate the business vision into actions; secondly communicate and link/relate to operational objectives; thirdly integrate all your business plans with your financial planning; and fourthly feedback by applying the necessary learning and adjustments [41,42,43,44,45,46,47]. According to Shafiee et al. [48], the strongest point of BSC is its ability to illustrate the cause and effect relations between strategies and processes.

2.4. Identify Risk Agents by Objective (A_jl)

According to Moeinzadeh and Hajfathaliha [6], SC risks are associated with: planning and control, supplies, processes, demand, return, and environment. To develop this step, it is necessary to identify for each objective “i”, the agents “j” that jeopardize its achievement by obtaining the A_jl. An agent is understood as the source of risk that can lead to the occurrence of one or more events and can impact more than one objective. The common tools used in the risk identification stage are questionnaires, flowcharts, interviews, event trees, fault trees, hazard and operability study (HAZOP), FMEA, among others. In this step, BSC cause–effect relationships are also very helpful.

2.5. Identify Events by Agents in the Processes (E_i)

In this step, we proceed to identify the risk events for which consequences can affect the objectives. At the same time, more than one agent can cause the same event, and an agent can cause more than one event [22]. In this analysis, we must consider both the effect that the agent of risk could directly cause, as well as the causality that may exist between the events. Hence, it is necessary to determine the relation of influence. An event tree tool is proposed for this purpose.

2.6. Identify Degree of Relationship between Events (r_nk) and between Agents and Events (R_jk)

As mentioned earlier, FMEA has some limitations in the calculation of RPN because it does not take into account the relations between the modes of failure and the effect. Previous research [21] has developed proposals to mitigate these limitations by considering the relationships between agents and events and highlighting the need to extend the analysis to the relationships between events. In this research, we have focused on these research needs.

Influence relationships refer to: What strength can the risk agent j cause the risk event i? With which strength can a risk event trigger the occurrence of another event? These relations in conjunction with the probability of occurrence of the agent and the severity of the event will be the determining factors for the aggregated risk score (ARS). The values are obtained by using the five main linguistic labels (very high, high, moderate, low, very low) and four additional linguistic labels among the main ones, as shown in Figure 3, as proposed by Saaty [49]. The use of fuzzy logic is based on the fact that some problems did not require, or do not have the correct or accurate value, and we could model the problem based on prior experience or knowledge of experts [26]. We will use the nine labels when we have been able to bring together the experts and they have reached a consensus among their different assessments, while we will only use the five main linguistic labels when we collect their assessments and must obtain the mean value.

To obtain the mean value, each main linguistic label can be transformed into a fuzzy number (a − c₁, a, a + c₂), where (a − c₁) is the minimum value of the fuzzy number, a is the mid value, and (a + c₂) is the maximum value. For the addition of these fuzzy numbers, we use the following expressions presented by Aqlan and Mustafa [14]:

$$d_1=\frac{1}{n}{\sum }_{i=1}^n{c}_{1i},b=\frac{\underset{1\le i\le n}{\min }{a}_i+\underset{1\le i\le n}{\max }{a}_i}{2},d_2=\frac{1}{n}{\sum }_{i=1}^n{c}_{2i},$$

(1)

where d₁ is the left width, b is the central value, and d₂ is the right width. These values will then be used to calculate the final aggregated fuzzy value as (b − d₁, b, b + d₂). To facilitate the management of this information, it is proposed that the collection of these numbers be done in the form of a matrix A_jl × E_i.

2.7. Determine the Probability of Occurrence of Each Risk Agent (O_j)

The conventional FMEA uses a scale to determine the probability of occurrence of the failure. In the case of this investigation, what is determined is the probability (or possibility) of occurrence of the agent of risk using linguistic labels. Information can be collected through surveys, questionnaires, and company’s information systems.

2.8. Determine the Severity of Risk Events (S_kl)

To address another limitation identified in the literature related to the redundancy of the information that can be considered when evaluating the impact of the consequences, the estimation will consider the event that directly impacts the objective. This judgment is the result of consensus among experts using linguistic labels as previously discussed. The experts who evaluate each of these aspects can define a larger number of linguistic labels, or different definitions of labels by triangular or trapezoidal numbers. As result of the previous steps, a representation of the model can be obtained as shown in Figure 4.

2.9. Determine the Aggregated Risk Score by Agent and Objective (ARS_jl)

The aim of this step is to determine the ARS_jl for each risk agent as it is exposed in the expression (2) with elements that have been determined in previous steps (O_j, S_kl, R_jk). For the basis of our proposal, we use the approaches developed by Pujawan and Geraldin [21] and Ma and Wong [22], and we include the correlations between risk events and the analysis by objective. This includes the existence and weighting of agents (causes) that can trigger several events (consequences), as well as the interrelationships between the events in a holistic way.

$$AR{S}_{jl}=O_j·\left[{\sum }_{k=1}^K\left(R_{jk}+{\sum }_{n=1}^{N_k}{r}_{nk}\right)·S_{kl}\right],$$

(2)

where K is the total branches connecting agent j to objective l; N_k is the total segments between risk events in the branch k; L is the total objectives; J is the total risk agents; R_jk is the degree of correlation between the agent of risk j and the event of risk that it affects directly in the branch k; r_nk is the degree of correlation between risk events of segment n in the branch k; S_kl is the severity of the impact on the objective l if the risk event (as final effect on objective) occurs in the branch k; and O_j is the probability of occurrence of the agent j.

In this expression, we also consider the use of fuzzy logic as a support tool to achieve the assignment of the qualities to the expression (subjectivity, vague information, ambiguities) that the conventional form of calculation would not allow [22]. By means of the operators and quantifiers of this logic [50], it is possible to obtain a value of ARS_jl that will be mainly determined by the probability of occurrence of the agent and will take into account the possibility that these events that are caused by the same agent to improve accuracy and reliability of the calculation.

2.10. Determine Priority for Decision Making

The aggregated value of each agent (ARS_j) is achieved by aggregating its impact on the objectives affected as shown in expression (3). Then the values are ordered for the setting of priorities.

$$AR{S}_j={\sum }_{l=1}^{L}AR{S}_{jl}.$$

(3)

A similar analysis can be made to determine the priority by objectives, considering the agents that belong to the same objective (ARS_l) according to the expression (4).

$$AR{S}_l={\sum }_{j=1}^{J}AR{S}_{jl}.$$

(4)

At this point, we must defuzzify the results to facilitate decision-making with linguistic expressions using the Pareto rule. We need to identify which agents cause the highest levels of risk and which objectives are most exposed to risk situations.

2.11. Monitoring and Control

All of the above makes it possible to set priorities and; therefore, make effective decisions, focusing on where the greatest efforts should be spent while taking the necessary actions proactively.

This analysis should be carried out by integrating risk management into strategic management through the use of key risk indicators (KRIs) in the BSC. The analysis is combined with the identification of checkpoints. Control points are activities or states within the process that must be controlled to proactively assure the effectiveness of process performance.

The proposal was applied to a telecommunications company. It is a joint venture enterprise with 16 subsidiaries that relies on providing public services through the installation, operation, marketing, and maintenance of telecommunication networks and services. The working system in all subsidiaries is the same. The process selected as the subject of study was the logistic process in a subsidiary with its associated SCs. Only those objectives that were within the “area of influence” of the corresponding area were deployed to precisely define the responsibilities. These strategic objectives were balanced in the construction of the BSC and the processes involved for the SCM were identified to the level of detail. This prior analysis facilitates the subsequent risk analysis.

3. Results

The selected group of experts according to the Section 2.1 of the proposal are shown in

Table 1. Selected experts to research application.

Nr.	Responsibility	Work Experience (Years)
1	Manager of logistic group	>10
2	Quality supervisor	>12
3	Supply manager	>5
4	Logistic specialist	>10
5	Warehouse manager	>10

. The analyses and values for the development of the assessments are based on the judgment of these experts. Many interviews were held with these experts in the chosen company to elicit solid information on the processes and identified risks.

The logistic process under study was conformed (Section 2.2). As an example, Figure 5 shows the source process. Traceability of activities with their inputs and outputs enables decision-makers to identify risk events and their relationships. Then, in accordance with Section 2.3, eight strategic and balanced objectives were derived according to the BSC perspectives: Clients (1), Financial (2), Processes (3), and Potentials (2).

Table 2. Risk agent by strategic objective.

Perspective	Objective	Risk Agents	Ajl
Clients	1	Deficient identification of customer requirements	A11
		Non-compliance with methodologies and procedures	A21
		Lack of availability of material resources and goods needed to meet a requirement.	A31
		Lack of process orientation to the client	A41
Financial	2	Conflicts between plans, programs and objectives	A52
		Deficient integration of the SC	A62
		Inadequate control mechanisms.	A72
	3	Non-compliance with methodologies and procedures	A23
		Inadequate control mechanisms	A73
		Interruption of IT systems	A83
Process	4	Non-compliance with methodologies and procedures	A24
	5	Non-compliance with methodologies and procedures	A25
		Deficient integration of the SC	A65
		Supplies do not arrive as scheduled	A95
		Occurrence of urgent requests.	A10-5
		Decreased supply capacity	A11-5
		Dependence on a single supplier	A12-5
	6	Inadequate control mechanisms	A76
		Lack of availability of elements, goods or money needed to meet a requirement	A36
Potentials	7	Insufficient use of information technology (IT) resources	A13-7
		Interruption of IT systems	A87
	8	Unfavorable organizational climate	A14-8
		Lack of correspondence of training actions and training needs	A15-8
		Fluctuation of staff	A16-8
		Lack of commitment of workers	A17-8
		Lack of motivation	A18-8

shows the identified risk agents associated with the achievement of the derived strategic objectives (Section 2.4). Decision-makers have identified 18 sources of risk, which are translated into 26 risk agents (A_jl) based on the particular objective analysis.

As a result of Section 2.5, 54 risk events were identified in the process. The risk event categories are Plan and Control (P), Source (S), Deliver (D), Return (R), and Enable (E).

Table 3. Events corresponding to the Source process and associated agents.

Activities	Events of Risks (Ei)	Agents (Ajl)
Resources management	Elaboration of the purchase plan without performing the relevant analyses (S1).	A11, A24, A23
	Make purchases from suppliers without contractual relations (S2).	A24
	Insufficient supply depending on the suppliers (ATM or territorial suppliers) (S3).	A31, A12-5
	Delays in the delivery of resources by suppliers (S4).	A65, A95, A11-5, A12-5
	Increase in inventory levels with low turnover or service effects due to lack of resources (S5).	A11, A23, A73
Product reception	Accept products without required documentation or quality (S6).	A72, A24, A17-8
Storage	Failure to correctly record the order entry according to the primary documentation causing differences between the sub-major bookkeeping and the stowage card (S7).	A24, A17-8
	Existence of past due or impaired resources (S8).	A72, A24
	Existence of shortages due to diversion of resources (S9).	A72, A25, A24, A73, A23, A17-8
	Incorrect inventory rotation (S10).	A52, A23, A73
	Incorrect inventory location (S11).	A23, A73
Payment issuance	Issuing payment to the supplier after the date agreed in the contract (S12).	A24, A87

shows the events corresponding to the Source process.

After the main risk agents and associated events are identified, the interactions between (R_jk) and within (r_nk) can be determined (Section 2.6). The event tree tool was used for each agent and fuzzy logic was used to add value to the ambiguities involved in the linguistic-data assessment process. Fuzzy numbers reflect the relative strength of each pair of network elements. The network structure corresponding to Objective 1 is shown in Figure 6 where P, S, D, and R represent the process type of the events.

The fuzzy matrixes of peer-to-peer comparison with expert judgments are constructed based on the network given in Figure 6 and are shown in

Table 4. Relationships between risk agents and events of objective 1.

Rjk	P1	P3	P4	P6	P7	P8	P9	P10	S1	S3	S5	D3	D4	D5	D6	D9	D11	D16	R6
A11	HVH	VH	VH			HVH		MH	LM		H
A21	H	HVH	H	HVH				VH				VH	HVH	VH	VH	HVH			HVH
A31										VH							HVH	H
A41	VH	LM			VH	VH	HVH

Note: VL = Very Low, L = Low, M = Moderate, H = High, VH = Very High, LM = Low to Moderate, MH = Moderate to High, HVH = High to Very High.

and

Table 5. Relationships between risk events of objective 1.

rnk	P4	P6		P7	P8	S3	S5	D4	D5	D6	D9	D11	D16
P1	H
P3	VH			L	MH
P4							VH
P6							HVH
P8						M	VH
P9		H
S1							M					H	HVH
S3							LM					MH	VH
D3								LM	L	MH
D5											L
D6												HVH	H
D11													MH

. Then, as described in Section 2.7, the values issued by the experts are shown in

Table 6. Estimated fuzzy probabilities of risk agents.

Oj	Expert 1	Expert 2	Expert 3	Expert 4	Expert 5	Fuzzy Number
O1	E	P	E	E	P	(0.6, 0.8, 0.94)
O2	E	E	E	E	E	(0.7, 0.9, 1)
O3	E	E	E	E	E	(0.7, 0.9, 1)
O4	VU	U	P	P	U	(0.3, 0.5, 0.7)
O5	U	P	P	U	P	(0.4, 0.6, 0.8)
O6	U	E	P	U	P	(0.5, 0.7, 0.88)
O7	NE	U	P	P	U	(0.22, 0.4, 0.6)
O8	E	E	E	E	E	(0.7, 0.9, 1)
O9	E	P	P	U	P	(0.5, 0.7, 0.88)
O10	U	VU	P	U	U	(0.3, 0.5, 0.7)
O11	P	P	P	P	U	(0.4, 0.6, 0.8)
O12	E	P	E	P	E	(0.6, 0.8, 0.94)
O13	U	E	P	U	U	(0.5, 0.7, 0.88)
O14	NE	U	P	NE	U	(0.24, 0.4, 0.6)
O15	VU	U	VU	U	P	(0.3, 0.5, 0.7)
O16	P	U	P	NE	U	(0.22, 0.4, 0.6)
O17	VU	VU	VU	U	P	(0.3, 0.5, 0.7)
O18	VU	U	P	U	U	(0.3, 0.5, 0.7)

Note: NE = Not Expected, VU = Very Unlikely, U = Unlikely, P = Possible, E = Expected.

. This analysis of the probability of occurrence is performed for the source agent. However, severity was identified by branch. This is in correspondence with the impact of the occurrence of the last event (highlighted in red color in Figure 6) to avoid redundancy in the aggregation.

The values identified for agent A₁₁ as a result of the development of Section 2.8 are shown in

Table 7. Estimated impacts of identified risks of agent A₁₁.

Branch	Expert 1	Expert 2	Expert 3	Expert 4	Expert 5	Fuzzy Number Skl
1	VH	H	H	VH	H	(0.6, 0.8, 0.96)
2	VH	H	H	VH	H	(0.6, 0.8, 0.96)
3	H	VH	H	H	H	(0.6, 0.8, 0.98)
4	VH	VH	VH	VH	VH	(0.7, 0.9, 1)
5	VH	M	M	M	H	(0.5, 0.7, 0.88)
6	VH	VH	VH	VH	VH	(0.7, 0.9, 1)
7	VH	H	M	VH	H	(0.5, 0.7, 0.86)
8	VH	H	H	VH	H	(0.6, 0.8, 0.96)
9	H	H	M	H	L	(0.3, 0.5, 0.7)
10	VH	H	H	VH	H	(0.6, 0.8, 0.96)
11	VH	VH	VH	VH	H	(0.6, 0.8, 0.94)

.

For example, the calculation of the aggregated fuzzy severity of branch 5 of agent A₁₁ using the aggregation method in Equation (1) is calculated as:

$$Branch5:\left(0.7,0.9,1\right),\left(0.3,0.5,0.7\right),\left(0.3,0.5,0.7\right),\left(0.3,0.5,0.7\right),\left(0.5,0.7,0.9\right)$$

$$Branch5:\left(a_i-c_{1i},a_i,a_i+c_{2i}\right)\to \left(c_{1i},a_i,c_{2i}\right):\left(0.2,0.9,0.1\right),\left(0.2,0.5,0.2\right),\left(0.2,0.5,0.2\right),\left(0.2,0.5,0.2\right),\left(0.2,0.7,0.2\right)$$

$$d_1=\frac{1}{n}{\displaystyle \sum _{i=1}^n}{c}_{1i}=\frac{0.2+0.2+0.2+0.2+0.2}{5}=0.2$$

$$d_2=\frac{1}{n}{\displaystyle \sum _{i=1}^n}{c}_{2i}=\frac{0.1+0.2+0.2+0.2+0.2}{5}=0.18$$

$$b=\frac{\underset{1\le i\le n}{\min }{a}_i+\underset{1\le i\le n}{\max }{a}_i}{2}=\frac{0.5+0.9}{2}=0.7$$

$$Branch5:\left(c_{1i},a_i,c_{2i}\right)=\left(0.2,0.7,0.18\right)\to \left(a_i-c_{1i},a_i,a_i+c_{2i}\right)=\left(0.5,0.7,0.88\right).$$

According to described in Section 2.9, the ARS by agent was measured based on Equation (2). For the first branch of A₁₁:

$$1^{st}BranchAR{S}_{11}=\left(0.6,0.8,0.9\right)·\left[\left(\left(0.6,0.8,1\right)+\left(0.5,0.7,0.9\right)+\left(0.7,0.9,1\right)\right)·\left(0.6,0.8,0.96\right)\right].$$

Detailed calculations of the A₁₁ branches are shown in the

Table 8. Values of ARS_jl of A₁₁ branches.

Branch	Oj	Skl	Rjk + ∑rnk	ARSjl
P1-P4-S5	(0.6, 0.8, 0.9)	(0.6, 0.8, 0.96)	(1.8, 2.4, 2.9)	(0.648, 1.536, 2.616)
P3-P4-S5		(0.6, 0.8, 0.96)	(2.1, 2.7, 3)	(0.756, 1.728, 2.707)
P3-P7		(0.6, 0.8, 0.98)	(0.8, 1.2, 1.5)	(0.288, 0.768, 1.381)
P3-P8-D11-D16		(0.7, 0.9, 1)	(2.4, 3.2, 3.8)	(1.008, 2.304, 3.572)
P3-P8-S10		(0.5, 0.7, 0.88)	(1.8, 2.4, 2.8)	(0.54, 1.344, 2.316)
P8-D11-D16		(0.7, 0.9, 1)	(1.9, 2.5, 3)	(0.798, 1.8, 2.82)
P8-S10		(0.5, 0.7, 0.86)	(1.3, 1.7, 2)	(0.39, 0.952, 1.616)
P4-S5		(0.6, 0.8, 0.96)	(1.4, 1.8, 2)	(0.504, 1.152, 1.804)
P10		(0.3, 0.5, 0.7)	(0.4, 0.6, 0.8)	(0.072, 0.24, 0.526)
S1-S5		(0.6, 0.8, 0.96)	(0.7, 1.1, 1.5)	(0.252, 0.704, 1.353)
S5		(0.6, 0.8, 0.94)	(0.5, 0.7, 0.9)	(0.18, 0.448, 0.795)
TOTAL				(5.436, 12.97, 21.51)

.

Table 9. Aggregated risk score (ARS_jl) values.

Objective	Ajl	ARSjl	Objective	Ajl	ARSjl
1	A11	(5.436, 12.97, 21.51)	5	A25	(3.716, 9.738, 17.94)
	A21	(7.152, 16.92, 28.14)		A65	(0.341, 0.954, 1.92)
	A31	(0.546, 1.224, 1.88)		A95	(0.868, 2.214, 3.92)
	A41	(5.292, 12.48, 20.60)		A10-5	(0.14, 0.378, 0.72)
2	A52	(0.299, 0.918, 1.83)		A11-5	(1.036, 2.646, 4.72)
	A62	(2.037, 4.815, 7.792)		A12-5	(1.764, 4.482, 7.76)
	A72	(7.084, 16.50, 25.64)	6	A36	(0.245, 0.567, 0.88)
3	A23	(2.709, 6.093, 9.1)		A76	(0.21, 0.504, 0.88)
	A73	(2.569, 5.967, 9.462)	7	A87	(0.136, 0.52, 1.286)
	A83	(0.294, 0.648, 0.98)		A13-7	(0.446, 1.404, 2.796)
4	A24	(6.498, 20.1, 39.96)	8	A14-8	(0.588, 1.296, 1.94)

shows the ARS values calculated for each agent in its analysis by objective. It is necessary to add the values per agent, as a single source of occurrence based on Equation (3) and by objective based on Equation (4) (Section 2.10). The corresponding values are shown in

Table 10. Priority by risk agent (ARS_j).

Agent	Ajl	ARSj	Impact Score
1	A11	(5.436, 12.97, 21.51)	B2
2	A21	(20.07, 52.85, 95.15)	A1
	A23
	A24
	A25
3	A31	(0.791, 1.791, 2.76)	C2
	A36
4	A41	(5.292, 12.48, 20.60)	B2
5	A52	(0.299, 0.918, 1.83)	C2
6	A62	(2.378, 5.769, 9.712)	C1
	A65
7	A72	(9.863, 22.97, 35.98)	B1
	A73
	A76
8	A83	(0.430, 1.168, 2.266)	C2
	A87
9	A95	(0.868, 2.214, 3.92)	C2
10	A10-5	(0.14, 0.378, 0.72)	C2
11	A11-5	(1.036, 2.646, 4.72)	C2
12	A12-5	(1.764, 4.482, 7.76)	C1
13	A13-7	(0.446, 1.404, 2.796)	C2
14	A14-8	(0.588, 1.296, 1.94)	C2
15	A15-8	(10.33, 26.64, 44.38)	B1
16	A16-8	(0.294, 0.648, 0.98)	C2
17	A17-8	(13.95, 34.26, 57.39)	A2
18	A18-8	(0.756, 1.728, 2.768)	C2

and

Table 11. Priority by objective (ARS_l).

Objective	Ajl	ARSl	Impact Score
1	A11	(18.42, 43.60, 72.14)	B
	A21
	A31
	A41
2	A52	(9.420, 22.23, 35.26)	C1
	A62
	A72
3	A23	(5.572, 12.70, 19.54)	C2
	A73
	A83
4	A24	(6.498, 20.1, 39.96)	C1
5	A25	(7.865, 20.41, 36.98)	C1
	A65
	A95
	A10-5
	A11-5
	A12-5
6	A36	(0.455, 1.071, 1.76)	C3
	A76
7	A87	(0.583, 1.924, 4.082)	C3
	A13-7
8	A14-8	(25.92, 64.58, 107.4)	A
	A15-8
	A16-8
	A17-8
	A18-8

. To defuzzify the numbers, Pareto principle was used (approximately 10% A, 20% B, and 70% C) (Figure 7 and Figure 8 respectively). From this analysis, it was obtained that the agents with higher ARS are the following (in that order of priority): (1) Non-compliance with working methodologies and procedures (A_2i), (2) lack of commitment of workers (A_17-8), (3) lack of correspondence of training actions and training needs (A_15-8). The objective with the highest risk of non-compliance is objective 8.

For decision making, the previous analysis was incorporated into the design and control of BSC and KRIs were integrated. The establishment of priorities for this projection according to the ARS_j and ARS_l indicators should be taken into account. As part of the actions to mitigate risks and achieve effective SCM, checkpoints associated with the identified risk events were defined. These checkpoints were incorporated into the design of the processes. The thresholds between the measurements made on the control objects were considered for acceptable evaluation. This will respond to compliance with the procedures that describe the operations, technical instructions, physical parameters, time, and other aspects, thus facilitating the control of the activity. As an example,

Table 12. Checkpoints corresponding to the risk events of the Source process.

Activities	Risk Events	Nr.	Frequency	Control Object	Description	Range
Purchase management	S3	12	Monthly	Purchase plan and transfer requests	It is reviewed that the planned resources have been acquired both for the purchase in place and by transfer of orders.	60–100 (%)
	S1, S5	13	Quarterly	Purchase plan	Correspondence between the budget, the client’s request, approval levels, resource rotation, and the proposed purchase in place.	Yes/No
	S4	14	Yearly	Supplier evaluation	The contracting of unreliable suppliers is evaluated as unreliable if is less than 10% of the total contracting.	0–10 (%)
	S4	15	Yearly	Contract	Compliance with legal aspects of contracts with suppliers is reviewed (deficient contracts should not exceed 5% of total contracts).	0-5 (%)
	S2	16	Monthly	Purchase file	Everything concerning the resolution that protects the purchase in the square (Res. 93) is reviewed. Verifying that all purchases made are covered by contract (purchases not covered by contracts must not exceed 5% of total purchases).	0–5
Product reception	S6	17	Monthly	Blind reception	It is checked that the employee complies with the provisions of the reception process, that the materials received contain the corresponding documentation (transfer order or purchase order).	0–10 (%)
	S6	18	Monthly	Claim record	The preparation of the report that covers the process is reviewed before a complaint is filed.	Yes/No
Storage	S7	19	Monthly	Stowage card	The correspondence between the stowage card, the primary documents and the sub-major inventory is reviewed.	0–10
	S11	20	Monthly	Product localization	The correspondence between the stowage card and the physical location of the product is reviewed.	0–15 (%)
	S10	21	Monthly	Inventory movement indicator	The evaluation of the indicator should be ≥ 1.	≥1
	S8	22	Monthly	Registration of perishable products	Reflect the perishable products in the system and check the status of the products in store according to the data.	0–10 (%)
	S9	23	Monthly	10% inventory	A physical count of 10% of the existing product types in the warehouse (compared with SAP system).	0–1 (%)
	S9	24	Yearly	10% inventory	Physical count of 100% of the products and compare it with the value posted in SAP.	0–5 (%)
Issuance of payment	S12	25	Monthly	Invoice control record	Purchases made within the month have been delivered to the economic department for payment management (purchases not delivered to the economic department must not exceed 1%).	0–1 (%)

shows 14 checkpoints corresponding to the risk events of the Source process. Finally,

Table 13. Integration of RM into strategic management.

Objective	Ajl	Impact Score	Events	Checkpoints
1	A11	B	P1, P3, P4, P10, S1, S5	1, 3, 4, 9, 13
	A21		P1, P3, P4, P6, P8, P10, D3–D6, D9, R6	1, 3, 4, 7–9, 28–30, 34, 44
	A31		S3, D11, D16	12, 33, 40
	A41		P1, P3, P7–P9	1, 4, 6, 7, 9
2	A52	C1	P7, S10	6, 21
	A62		R2	42
	A72		S6, S8, S9, R1–R7	18, 22, 23, 41–45
3	A23	C2	P4, S1, S5, S9–S11	3, 13, 20, 21, 23, 24
	A73		P6, P8, S5, S9–S11, R5	8, 7, 13, 20, 21, 23, 24, 44
	A83		D3	28
4	A24	C1	P5, P6, P8, P9, S1, S2, S6–S9, S12, D1, D3–D5, D7–D10, D14, D15, D17, R2–R4, R6–R9, E5	5, 7–9, 13, 16, 17, 19, 22–26, 28, 30–32, 34, 37–39, 42–47, 51
5	A25	C1	P6, P8, P9, P11, S9, D1, D2, D6, D14, D15, R4, R6, R8, R9	7–9, 11, 23, 24, 26, 27, 29, 37–39, 43, 44, 46, 47
	A65		P5, S4	5, 14, 15
	A95		S4, D11, D16	14, 15, 33, 40
	A10-5		D2	27
	A11-5		S4, D11, D12, D16	14, 15, 33, 35, 40
	A12-5		S3, S4, D11, D16	12, 14, 15, 33, 40
6	A36	C3	D13	36
	A76		D13	36
7	A87	C3	S12, D3–D5	25, 28,30
	A13-7		P4, P10, P11, D12	3, 9, 11, 35
8	A14-8	A	E2, E4	50
	A15-8		P1, P2, P4, P10, P11, R9, E1	1, 2, 3, 9, 11, 47, 48
	A16-8		E3	49
	A17-8		S6, S7, S9, D1, D3, D4, D5, D7–D10, D14, D15, D17, R2, R4, R6, R7, E2, E4, E5	17–19, 23, 24, 26, 28, 30–32, 34, 37, 38, 42–47, 50, 51
	A18-8		E1, E2, E4	48, 50

shows a summary that integrates these elements. The company managers were left in charge of a proactive management tool of the strategy, which has allowed them to keep a constant monitoring and diagnosis.

4. Discussion

SCRM requires dealing with uncertainty, interrelations, and subjectivity inherent in the risk assessment process. Although several quantitative/qualitative tools and techniques have already been developed for SCRM, there is a limited focus on introducing holistic frameworks that not only integrate all stages of the RM process but also consider prior analysis of SC processes and strategic management focus. Existing frameworks generally focus on optimizing a single objective, generally a performance measure, without capturing the correlation effects of common risk triggers. Existing frameworks also do not consider the trade-off between multiple and interdependent strategic objectives at the same time.

The proposed approach in this study deals with capturing this complexity by integrating all of features in a holistic framework that combines qualitative and quantitative techniques for effective SCRM. A mathematical model with a fuzzy inference system was developed to aggregate risk values taking into account the correlations of agents and risk events associated with the achievement of objectives. The intra-and inter-dependencies among the categories were considered in the form of a risk network that provides a tool to visualize the position of a risk within the network and its influence on the key performance measures. The risk network also helps in identifying potential mitigation strategies and control measures which allows for a proactive management of the strategy (see Table 13).

The fuzzy risk assessment method proposed in this study estimates the uncertainty inherent in the input values and allows users to adequately describe the uncertainty. The use of fuzzy logic allows for the treatment of vague and ambiguity data from different domains and scales. In addition, this fuzzy method can easily be transformed into traditional probabilistic methods when sufficient information and knowledge is available.

The results of the study in the selected telecommunications industry show the identification and analysis of 18 sources of risk, which are translated into 26 risk agents and 54 risks events associated to eight objectives. The analysis and assessment of risk scores made it possible to identify, for the strategic period evaluated, that objectives 8 and 1 present higher risks. The risk sources that cause higher levels of risk and; therefore, require greater focus were agents 2 (aggregate objectives 1, 3, 4 and 5) and agent 17 (objective 8), followed by agent 15 (objective 8). The associated checkpoints facilitate proactive analysis in the achievement of activities. This scenario and its results may vary according to the strategic period, the nature of the objectives, and the dynamics of the environment, so a systematic diagnostic discipline must be adopted. However, the proposed framework is generic and can be applied in other service or manufacturing environments.

In general, this study highlights some important points that should be considered by managers when analyzing SCRM to support the achievement of strategic objectives, as managerial implications:

• This study has revealed the potential holistic nature of SCRM, by RM stages, SC processes, and multi-objective analysis. This is articulated in a unique approach and quantified by a proposed score (by agents and by objectives) that constitutes a valuable tool for risk monitoring and control.
• The study addresses the complex interrelationships from different sources, as well as the strength of the relationships between risk events and causal agents that can impact more than one objective simultaneously. This contributes to the optimization of mitigation strategies.
• The combination of the SCOR model and the BSC tool improves strategic deployment at all levels. The SCOR model provides a balanced set of KPIs between customer-focused attributes (reliability, responsiveness, and agility) and internal-focused attributes (cost and asset). Our framework is scalable to level 3 metrics that can be selected based on specific needs. In most cases, this detailed information is not readily available. However, for the initial deployment, SCOR metrics up to level 2 are enough and the required information is easily available. This detailed analysis of the processes, combined with the cause–effect analysis of the strategic guidelines of the BSC, allows for the disruptive traceability of the system.
• The methodology presented in this study shows a step-by-step guide that makes it easy for managers and decision-makers to develop each of the stages of the proposed holistic framework for conducting an aggregate risk assessment. The defuzzification method used with an easy-to-understand business tool (Pareto rules) increases the practical implications and facilitates the communication and understanding of managers and decision makers.

5. Conclusions

In this article, a new assessment approach for SCRM was developed. The theoretical and practical contributions of this paper are summarized below.

5.1. Theoretical Implications

This research contributes to the literature on SCRM integrated into strategic management by further analyzing its deployment and disruptive events interdependencies along the SC and processes.

First, we developed a holistic framework for proactive SCRM by integrating all RM stages with risk modelling and aggregation over multiple objectives and risk agents. This system captures the interdependence of risks in the strategic management at all SC levels and process.

Second, a re-engineering process based on the philosophy of the SCOR model as a preliminary analysis was proposed to allow for the alignment and operationalization of the strategy with RM. This analysis improves the control by activity through checkpoints identified in the processes.

Third, the proposed ARS can be used capture the risk agents and events dependencies in cascading effects of common risk triggers and quantify the aggregated score by risk agent and objective. This will overcome some of the limitations related to the traditional calculation of RPN. The consideration of severity as a final effect avoids redundancies in the calculation and the analysis of interdependencies (transverse and longitudinal) reduces the presence of “holes”. It also contributes to a more reliable risk assessment by addressing the randomness and epistemic uncertainty using linguistic variable as decision-makers, often due to lack of data and use of subjective judgments.

Fourth, our research integrates risk mitigation strategies into process performance assessment. The integration with the BSC tool constitutes a powerful combination allowing a proactive and effective management of the strategy.

5.2. Practical Implications

This research provides a practical and generic solution by which companies can holistically assess the risks associated with their objectives. This aggregated analysis helps managers and decision-makers to focus on the factors that affect the achievement of objectives as well as identify the risks that require more rigorous evaluation and monitoring.

The real application in a telecommunications company illustrates the viability of effectively combining human judgement in integrated aspects of performance and risk in the design and management of the SC. The results also contribute to highlighting the use of widely accepted and easily understood tools, integrated into a single approach (i.e., event trees, SCOR model, and BSC). The correlation and interdependency analysis combined with the treatment of epistemic uncertainty using fuzzy logic can be used to predict and prioritize risk agents (by agents and by objectives) on a systemic and continuous basis.

5.3. Limitations and Future Scope

This research has some limitations that can lead to future lines of research:

• In this research, the time variable was not considered. The dynamics and duration of risk events constitute an interesting challenge to be incorporated in the proposed mathematical model. This analysis can be conducted in terms of the severity of the impacts and the learning of the system.
• The quantification of ARS by process can be incorporated into the framework. It is important to emphasize that the relationships between all risk factors are not simply hierarchical and we must consider the interaction of risk agents. This analysis will allow for precise identification of redundant elements in the aggregation.
• Only one case study was used in this paper. Additional case studies can extend our model to other industries, and comparisons can also be made to determine how our model performs differently in diverse contexts. This would further enrich theoretical and managerial contributions.
• Additionally, although the mathematical model can be easily implemented in practice with a simple spreadsheet, input values require important data collection (different sources and nature) and brainstorming within the organization (cascade effect). Therefore, in the context of the forth industrial revolution (i.e., Industry 4.0), the integration with advanced technology tools and artificial intelligence techniques can be utilized to improve the decision-making and system learning.