Supply Chain Risk Management in the Hygiene and Personal Care Products Industry

Abstract

The Personal Care Products (PCP) industry, encompassing cosmetics, hygiene, and personal care items, serves millions of consumers daily and operates under constant pressure for innovation, agility, and sustainability. Within this context, supply chains are viewed as complex and integrated systems, composed of interrelated elements whose interactions determine overall performance and are influenced by external factors. Disruptions—particularly those involving indirect suppliers—can propagate throughout the network, affecting operations, reputation, and business outcomes. Despite the importance of the topic, empirical studies that systematically identify and prioritize these risks in the PCP sector remain scarce, which motivated the conduct of this study. Thus, the aim of this research is to identify, analyze, and evaluate the main supply risks faced by the PCP industry, considering severity, occurrence, and detection capability. Methodologically, the research employed an exploratory multi-case design, carried out in three steps: a literature review to identify key supply chain risks; structured interviews with industry experts to analyze and evaluate these risks; and the application of Gray Relational Analysis (GRA) to aggregate expert judgments and construct a prioritized risk ranking. This combination of qualitative and quantitative techniques provided a detailed foundation for analyzing and interpreting the main risks in the Brazilian PCP sector. The results indicate that indirect supplier failure is the most critical risk, prioritized by 70% of the companies studied. Other significant risks include the inability to meet changes in demand, import issues, lack of supply chain visibility, natural and social disasters, and sustainability or reputational concerns. Consequently, this study contributes to a systemic understanding of risk management in the PCP industry supply chain, providing managers with a practical mapping of critical points and highlighting concrete opportunities to strengthen integration, anticipate disruptions, and enhance operational resilience and performance across the sector.

1. Introduction

A company’s ability to operate can be critically affected by disruptions arising from any point in the supply chain [1]. Such disruptions are associated with different types of risks ranging from instability in demand to economic, humanitarian, or natural disturbances, such as the catastrophes that occurred in Japan in 2011 [2] and the COVID-19 pandemic in 2020, which caused unprecedented shutdowns on a global scale [3]. However, many cases of significant problems in the supply chain derive from supplier/supply management [4], as observed in various industries in recent decades, such as the recalls of 19 million Mattel products in 2007 and 4 million Dell units in 2006 [5].

Given the need for organizations to manage these risks, Supply Chain Risk Management (SCRM) has become an area of rapid growth and great interest, both academic and practical [6,7]. The ISO 31000 family of standards is among the main protocols used in SCRM, proposing a risk assessment process based on the steps of risk identification, risk analysis, and risk evaluation [8,9,10]. The goal is not only to reduce costs and vulnerability but also to ensure profitability, business continuity, and long-term growth. Therefore, an organization that is better prepared to manage risks can achieve a better market position [11].

In this context, a typical example of a fast-paced, profitable, and innovative market is the Personal Care Products (PCP) industry, also known as cosmetics, which encompasses a wide range of beauty and hygiene products, from makeup and perfumes to soaps, shampoos, and deodorants [12]. This is a growing global economic sector, with the European market valued at 77.6 billion euros in 2017 [13].

As part of the fast-moving consumer goods (FMCG) segment, the PCP industry is particularly exposed to supply chain risks due to factors such as high pressure for speed, innovation, and responsiveness [14,15].

In this study, the PCP supply chain is approached as a complex and integrated system, where interrelated elements interact and influence the performance of the whole network. This systemic perspective allows the analysis of risks and their propagation across the entire chain, considering both internal interdependencies and external environmental factors. By framing the supply chain as a system, the research aligns with a holistic view that emphasizes connections, interactions, and the dynamics of the network, providing insights beyond isolated or single-aspect evaluations.

Despite this vulnerability, there is a gap in the literature regarding empirical studies that systematically assess these risks in the specific context of the PCP industry. To address this gap, this research aims to identify, analyze, and evaluate the main supply risks faced by the PCP industry, considering the criteria of severity, occurrence, and detection capability.

In addition to the general objective, this research has two specific objectives, described below:

O1: Apply a systematic process for assessing supply risks in the Personal Care Products (PCP) industry.

O2: Develop an aggregate ranking of the main supply risks faced by this industry.

The research uses as a reference the methodological design proposed by Lavastre et al. [16], which constructs a risk ranking based on data collected from industrial supply chain experts. However, unlike that study, this work focuses specifically on the PCP industry and establishes an explicit connection with the risk management process defined by the ISO 31000 standard.

The relevance of this study is primarily divided into two aspects: First, several authors have urged researchers to develop empirical studies in SCRM [4,5,17]. Second, several authors have warned about the complexity of business models in the PCP industry, but empirical analyses of risk management focusing on the supply chain are scarce [12,13,18,19]. In fact, no ranking of supply chain risks in the PCP industry, nor even a SCRM application process, was found in the literature. Therefore, this research can be considered exploratory in the field of SCRM, as its contributions are innovative for the construction of scientific knowledge applied to a sector little studied in the literature. At the same time, this research presents practical contributions for managers who wish to systematically apply risk management in their organizations.

It should be noted that this empirical study is limited to the Brazilian cosmetics manufacturing industry. However, the Brazilian cosmetics manufacturing industry is representative on a global scale. The country is the fourth-largest cosmetics market in the world, with a 6.2% market share, and the largest in South America, with over 30%, according to a 2019 Euromonitor report [19]. According to the Brazilian Association of Cosmetics Manufacturing Industries (ABIHPEC), the sector is valued at around US$23 billion, exports to over 170 countries, and is responsible for over five million job opportunities in the country. It grew by 2.2% even during the 2020 pandemic, due to the essential role of cosmetics manufacturing in combating COVID-19 [20].

This paper is structured as follows: Section 2 summarizes the literature review. Section 3 details the materials and methods used in the research. Section 4 presents the results. Section 5 presents the discussions, while Section 6 presents the conclusions, limitations of the study, and suggestions for future research.

2. Literature Review

2.1. Supply Chain Resilience and Risk Management

Given the growing challenges of the global business environment, companies are compelled to develop collaborative networks with other corporations. This approach offers solutions to operational constraints and adaptive responsiveness to market changes through competitive advantages such as reduced transaction costs, the ability to focus on core business, and risk distribution among chain members [7,21,22,23].

On the other hand, organizing into complex supply chains also represents an increase in the interdependence of those involved and, consequently, an increased risk of significant losses in productivity and revenue. Therefore, proactively detecting and managing risks has also become an essential part of the supply chain environment [2,24,25,26].

Several recent examples demonstrate the effects of this interdependence, such as the 2011 earthquake and tsunami in Japan, which disrupted several global supply chains. In this regard, it can be noted that:

-

Apple suffered shortages of key parts for its iPad 2, while Nissan had to close a British plant for three days.

-

Another earthquake in Japan in 2007 affected auto parts supplier Ri-ken Corporation, halting production at Toyota, Mitsubishi, Suzuki, and Honda.

-

In the early 2000s, a fire at a supplier’s plant caused billions in losses for Ericsson.

-

The terrorist attacks of 11 September 2001, caused five Ford plants to close for several days.

-

Hacker attacks in 2011 and 2017 disrupted the operations of the Port of Antwerp and several global companies, such as Renault and FedEx.

-

Some series of ruptures also resulted from the Wechuan earthquake (China) in 2008, the volcanic eruption in Iceland in 2010, the floods in Thailand in 2011, and hurricanes Katrina and Sandy in the USA in 2005 and 2012 [2,5,17,27,28,29,30].

There are also reports in the literature of cases where significant losses stem from operational issues in the SC, unrelated to natural disasters or terrorist attacks. Often, these problems are related to suppliers:

-

During the 2000s, Dell and Mattel had to announce the recall of millions of units of their products due to non-conformities in the quality of parts delivered by their suppliers.

-

Land Rover had to lay off 1400 employees after a supplier went bankrupt. Boeing also suffered a billion-dollar loss due to parts delivery issues.

-

In 2005, components supplier Bosch caused problems for several automotive industry customers by delivering parts that had a defect caused by one of its own sub-suppliers.

-

On several occasions prior to the 2011 Japanese earthquake, Toyota was faced with parts shortages due to a lack of visibility into the operations of its indirect suppliers [5,27,31,32,33,34].

The aforementioned examples make it clear that the effects of a disruption propagate downstream, giving rise to the ripple effect, which must be combated by strengthening supply chain resilience [6]. In an empirical study, El Baz and Ruel [35] confirm that risk management plays a prominent role in leveraging supply chain resilience.

Resilience can be defined as the adaptive capacity to detect, respond to, and recover from disruptions [36,37]. Rajesh and Ravi [36] further define the following as resilience parameters (i) primary performance factors (quality, cost, and flexibility); (ii) visibility over inventory, demand, and production schedules of suppliers and customers, and speed to respond to them; (iii) risk reduction and knowledge of risk factors; (iv) technical and technological support; (v) sustainability.

To strengthen a supply chain’s resilience against the ripple effect, it is necessary to reduce vulnerability to disruptions and increase recovery capacity, allowing the chain to quickly return to a desired service level [6]. This goal, faced with increasingly frequent and severe disruption scenarios, can influence the design of a company’s supply base [38], as relevant issues such as “make vs. buy” and “single supplier vs. multiple suppliers” now require a decision-making process that considers not only cost criteria but also risk criteria [39]. Tang [40] also points to the flexibility of the supply base as one of the main aspects that drives supply chain resilience.

However, beyond the direct supplier base, an aspect that has been gaining attention from several authors is the inclusion of indirect suppliers in studies. In this sense, Diego and Montes-Sancho [41] recommend that companies conduct detailed network mapping to identify critical players in the second tier, while De Oliveira et al. [10] investigate integrated risk management between tier-1 and tier-2 suppliers. Similarly, Durach et al. [1] point out in an empirical study that supplier visibility, when extended beyond the first tier of the chain, can generate significant value and mitigate financial risks for the focal company. Thus, they conclude that it is essential to consider indirect suppliers in risk analyses, as we did in this study.

2.2. Supply Chain Risks

Supply chain risks are connected to the network’s resistance to new entrants, new practices and technologies [42] and reside mainly in the areas of supply, operations and demand [43]. Ho et al. [17] define supply chain risk as “the probability and impact of unexpected conditions or events at the macro and/or micro level that negatively influence any part of a supply chain, leading to failures or irregularities at the operational, tactical or strategic level”.

In a primary classification, the supply chain is subject to risks that can be divided into two categories: disruptive/catastrophic risks and operational risks [5,40], also called internal and external [28], macro-risks and micro-risks [17], or exogenous and endogenous [7]. Despite being primary, this binomial classification synthesizes several points of view found in the literature [17].

Thus, catastrophic risks refer to the threat of external factors that represent unpredictable and rare disasters, both natural and man-made: earthquakes, hurricanes, floods, terrorist and cyberattacks, wars, economic crises, and strikes, among others. Operational risks, on the other hand, are recurring internal factors that represent the uncertainties inherent in the supply chain, such as demand, cost, and capacity uncertainties: fluctuations in market demand, variations in production and logistics costs, absenteeism, equipment and machinery failure, system errors, and energy shortages [2,7,28,30,44]. Several recent cases can be found in the literature that demonstrate the disruptions derived from these risks and disseminated through network interdependence, as explained in Section 2.1.

Other authors propose different categories for classifying risk types. Hallikas et al. [42]: demand, delivery, cost, and flexibility; Manuj and Mentzer [45]: supply, demand, operational, and others; Blackhurst et al. [27]: catastrophes, logistics, supplier dependence, quality, information systems, forecast, legal, intellectual property, purchasing, accounting, inventory, capacity, management, and security; Tang and Musa [44]: material, information, and financial flow; Tummala and Schoenherr [46]: demand, delay, disruption, inventory, production downtime, capacity, supply, system, independence, and transportation. In turn, Rangel et al. [47] develop a classification system based on the SCOR (Supply Chain Operations Reference) model, which comprises the five essential supply chain processes: planning, supply, production, delivery, and return.

Ho et al. [17] synthesize the main classifications to date and create a conceptual framework that classifies risk types into the following categories: supply, production, demand, information flow, transportation flow, and financial flow (micro), and external events (macro). Wicaksana et al. [7] expand this classification system and present a typology based on three perspectives: characteristics (exogenous or endogenous; intentional or involuntary), location (supply, manufacturing, or demand; information, product, or financial flow), and impact (economic, social, or environmental). The authors draw attention to intentional risks, which are disruptions deliberately created by individuals seeking personal advantage.

On the other hand, risk factors are various events that lead to a specific type of risk, noting that (i) each factor is responsible for a different level of impact within the same type of risk and (ii) the peculiar characteristics of each chain must be analyzed when transposing a list of risk factors into practical application [17]. Some examples of risk factors are found in Manuj and Mentzer [48] (demand variation, inventory costs, product quality) and Tummala and Schoenherr [46] (natural disasters, purchase order errors, product obsolescence), among others. Ho et al. [17] draw on these two works and twelve other relevant articles to compose a comprehensive table of risk factors, which fits into their own risk type classification framework.

Subsequently, other authors identified new risk factors, such as Creazza et al. [30] and the risks related to digital transformation: ERP system malfunction, company website crash, lack of network connectivity, malware, data breaches, damaged records, and credential theft. Furthermore, the COVID-19 pandemic affected global operations, causing significant disruptions and highlighting the need for an even more in-depth look at supply chain risks [22,49,50,51], especially regarding the adaptability/flexibility, recovery/resilience, and resistance/robustness of these networks [52].

According to the Supply Chain Resilience Report 2021, the number of international organizations that suffered disruptions in 2020 is five times higher than in 2019, due to the logistical difficulties generated by unprecedented efforts to contain the virus, which involved lockdowns, border closures, and workforce limitations [7]. As a result, risk factors such as supply cuts, material shortages, production shutdowns, demand volatility, and increased lead times were observed [52]. A report by the consulting firm Deloitte indicates that around 90% of German industries suffered shutdowns due to insufficient supplies [23], while the Retaildive report indicates that Chinese production rates reached their lowest level since the Great Recession [53].

However, not all supply chain risks are directly related to disruptions. The main example is sustainability risks, which have been under increasing pressure because they can cause compliance issues, adverse stakeholder reactions, lawsuits, and, especially, damage to the company’s reputation. Loss of reputation, in turn, can lead to consumer boycotts, brand devaluation, and, consequently, significant financial losses [54,55].

Therefore, under the supervision of environmental agencies, NGOs, business partners, unions and communities, more and more companies are dedicating their efforts to sustainable development and socio-environmental responsibility strategies throughout their supply chain, aiming for the triple bottom line: efficiency and satisfactory results in economic, environmental and social terms [56,57].

In terms of environmental risks, climate change constitutes one of the main threats to sustainable supply chains (SSC), making it clear that there is a need to combat environmental problems in companies, such as high carbon emissions, water and soil pollution, and resource waste [55]. In terms of social risks, child labor, unhealthy conditions, and slave-like labor are some of the main problems that pose risks to the entire chain and must be observed by managers in the context of supplier selection, evaluation, and development [58].

Regarding policies to encourage sustainability, although the volume of resources allocated to implementing SSC is still insufficient in most companies [56], there are several initiatives such as that of the Walmart group, which uses prominent labels to promote suppliers with the best sustainability performance, and Levi Strauss, which offers financial benefits [57].

In this sense, Zimmer et al. [54] highlight the tendency for organizations at the end of the chain to absorb sustainability risks from suppliers and be held responsible for sensitive issues throughout the network from which they obtain their inputs. Thus, these authors explore the multiple levels of a global automotive industry chain and develop a model to assess ESG (Environmental, Social, and Governance) risks using six criteria: child and forced labor, occupational health and safety, wages and working hours, employee training, discrimination, and freedom of association.

It is important to note that the automotive industry is a benchmark in SCRM [17] and was identified by Santos et al. [4] as the main research environment for supply chain risks. One example is the study by De Oliveira et al. [10], which investigates companies linked to the automotive industry based on the ISO 31000/31010 standards and indicates that FMEA is the most appropriate technique for supplier risk management. However, for a focal company to reduce its exposure to ESG risks, suppliers also play a crucial role in granting access to information about the multi-tier chain, as the focal company must understand the differences between its indirect suppliers rather than viewing them as a homogeneous entity [41].

2.3. PCP Supply Chain Risks

The growing attention paid to ESG risks in the PCP industry is notable, given that negative events can generate adverse stakeholder reactions and damage the company’s reputation, even if they occur at its suppliers. However, this industry still presents a particular feature regarding ESG risks. Cosmetics consumers actively seek products that have a deep connection with nature, both in their formulation and in their production chain, from the extraction of raw materials to marketing and commercialization. Although ESG failures are generally frowned upon in other markets, this consumer behavior generates sustainability and reputational risks for the entire supply chain of the PCP industry, which have no parallel in other manufacturing industries [13,19,59].

Thus, risk management begins with the product’s composition. Cosmetic products are used daily by almost the entire global population, and their image is also intrinsically linked to people’s health and well-being, but fragrances and other ingredients contained in their chemical formulations can pose toxicological risks to humans, depending on the level of exposure. This also generates product quality and safety risks specific to the PCP industry, which set it apart from other manufacturing sectors. Even in the food industry, the core product is not primarily a chemical formulation. Therefore, it is essential that the PCP industry ensure consumer safety through risk assessment of raw materials, which are the main element of cosmetics quality control [13,59,60,61].

Furthermore, with significant pressures for service rate/availability, cost, and innovation, SCRM concerns are especially relevant in the PCP industry [14,15]. By way of comparison, the automotive industry is one of the most explicit examples of supply chain complexity and strict control of time, cost, and safety, with a focus on the just-in-time concept [16] and high vulnerability to supply chain disruptions [31]. However, it does not present the volume, reach, replenishment speed, and number of players of the PCP industry. These characteristics represent risks in the relationship with suppliers:

• Products are manufactured and distributed in large volumes and at high speed, under the logistical premise of being in the right place, at the right time, and in the right quantity, since consumers have no difficulty in finding substitute products with similar characteristics. Product availability on retail shelves is the key factor. Thus, suppliers must be able to meet these requirements, which are not as evident in heavy industries or industries that work with smaller volumes [14,15,62].
• The pursuit of new product development is significant, with manufacturers frequently changing their products or introducing new launches, in addition to the constant threat of new entrants in an already densely populated market. This type of approach is not common in other industries. Therefore, suppliers need to be prepared and very well integrated with the PCP manufacturer [63,64].

These characteristics are typical of the FMCG segment in general (PCP, food, apparel, among others) and are not observed in other segments such as automotive, technology, or infrastructure [14,15]. However, even within the FMCG segment, the PCP industry stands out for the aforementioned sustainability and consumer health risks, which are not observed in other manufacturing industries. Therefore, all of these characteristics, as well as the risks mentioned in this subsection, were considered and addressed in the preparation of this empirical study.

3. Materials and Methods

This research is classified as a multi-case study with an exploratory approach. The research methodological procedure was divided into three steps. Step 1: A literature review aimed to identify supply risks in the PCP industry. Step 2: Structured interviews with supply chain experts from PCP industries aimed to analyze and evaluate the risks identified in the literature. Step 3: Application of the Gray Relational Analysis (GRA) multi-criteria decision-making method to assess and rank these risks, aggregating the views of the interviewed companies.

At the end of step 2, we will have met objective O1. At the end of step 3, we will have met objective O2. Furthermore, each of the three steps corresponds to a stage of the ISO 31000 risk assessment framework: risk identification, analysis, and evaluation [65]. This framework has been applied to conduct SCRM in the literature [9,10] and has become the preferred framework in corporations for implementing a risk management program [8]. Figure 1 summarizes the methods of this research, as detailed throughout this section. The final result is the aggregated risk ranking for the PCP industrial sector.

Therefore, the first step was to identify the risks. We used the literature review method to select the main supply risk factors already identified in other sectors of the manufacturing industry, as well as risks specific to the cosmetics industry. To this end, we used the article by Ho et al. [17], presented in Section 2 (Literature Review) of this work, as a basis. The study was selected for three reasons: (i) it is a seminal article on risk identification and classification, with 523 citations in the Web of Science (WoS) database at the time of this research; (ii) it is a review work that encompasses several previously published seminal risk identification frameworks, such as Tang [40], Manuj and Mentzer [48], Blos et al. [66], Thun and Hoenig [31], Tummala and Schoenherr [46], among others; and (iii) although Wicaksana et al. [7] present a more recent and broader risk typology in relation to risk classification, Ho et al. [17] present the prism of relating risk types and risk factors, in a way that better adapts to the risk identification activity and, therefore, to the objectives of this research.

Next, we added other supply chain risk factors identified in the literature after Ho et al. [17]. These studies were selected to enable the inclusion of current risk factors not addressed by Ho et al. [17], with the aim of ensuring the connection of this research with the most recent developments in the field. Note that all the mentioned articles are indexed in the WoS database due to its broad multidisciplinary coverage, quality, and relevance [67]. In agreement, De Oliveira et al. [9] reveal that the WoS and Scopus databases contain 95% of all published articles on SCRM.

To this end, three searches were conducted in WoS: the first, using the terms “Supply chain” (Topic) AND “Risk management” (Topic) AND Supplier (Title), yielded 32 articles of interest for this research, which were stored. The second search, using the terms “Supply chain” (Title) AND “Risk management” (Title), yielded 24 articles of interest for this research, which were stored. In both searches, the filter Document types: article or review article was applied.

From the reading of the 56 stored articles, the following risk factors were included: failures of indirect suppliers, which can propagate disruptions throughout the chain [24,32,37]; having suppliers located in geographic areas prone to natural and social disasters, which includes events such as earthquakes, floods, terrorist attacks and sociopolitical instability [6]; risks related to sustainability, which can cause damage to the company’s reputation [54,55,58]; malicious actions of supply employees [7,67]; even applying a treatment approach may create another risk to be assessed [68], and hacker attacks on supplies, which can involve data theft and other consequences [30].

The third search focused specifically on the PCP industry. Our goal was to identify connections between this industry and the topic of SCRM. Several search criteria were used, and those that returned relevant results are shown in

Table 1. Search criteria for the PCP industry.

Topic	AND Topic	AND All Fields	Registers Found	Registers Retained
supply chain	risk management	Cosmetics	4	2
supply chain	risk management	personal care	11	1
supply chain	risk management	fast moving consumer goods	18	5
supply chain	risk management	FMCG	10	1
-	“risk management”	Cosmetics	58	1
-	“risk management”	“personal care” industry	7	1
-	“supply chain”	Cosmetics	89	4
-	Performance	“cosmetics industry”	70	1
		Total	267	16

. In each case, the logical operator “AND” and the filter “Document types: article or review article” were used.

After reading the abstracts of the retrieved articles, it was found that the vast majority deal with technical aspects of pharmaceutical chemistry, botany, and marketing. Therefore, they are unrelated to the present research and were not retained. Thus, 16 articles of interest for this research were retained, approximately 6% of the total 267 records retrieved. Note that other search terms with variations for the PCP sector were also tested in the All Fields column, such as “toiletries” and “beauty care,” but they did not produce any results and are not listed in Table 1. In particular, we highlight that searches using the term “ISO 31000” returned no results. Furthermore, none of the retrieved articles presented a risk ranking or a systematized SCRM process.

Thus, after reading the 16 retained articles, a new risk factor was identified: consumer health risks due to exposure to chemical ingredients contained in cosmetic product formulations [13,59,60,61]. The other risks highlighted in the articles had already been identified previously in other sectors of the manufacturing industry and were included in this study. Therefore, our research identified 19 risk factors in total. The results are presented in Section 4.1 (Risk assessment).

Therefore, we developed an empirical study with supply chain professionals from large PCP companies in Brazil, using structured interviews, an auxiliary technique contained in the complementary standard ISO 31010 [69]. The PCP sector in Brazil is representative on a global scale, being the fourth largest cosmetics market in the world [19]. Although the objective of this research is not to precisely determine the most relevant brands in Brazil, nor to perform a probabilistic sampling by mapping all existing industries in the country, it is in our interest that the industries selected for the study are truly relevant in the market.

To further this objective, we obtained a sales report segmented by manufacturer from a major retail chain specializing in PCP in the state of Rio de Janeiro. Retail is crucial to the supply chain of the cosmetics and non-durable consumer goods industry in general [12,14,63], so it makes sense for the study to begin at this point in the chain. Based on this report, we applied the Pareto criterion to select the industries responsible for 80% of the retail chain’s sales, resulting in 10 pre-selected industries for the study.

To ensure greater robustness and reduce the likelihood of bias, we conducted visual inspections in 13 other large retail chains located in the Rio de Janeiro–São Paulo region, Brazil’s most socioeconomically significant, as well as in e-commerce platforms with nationwide penetration. The products of the pre-selected companies had to be present in 80% of stores and on more than one online platform for the company to be selected for the study. This sequence of structured steps ensures that the companies participating in this study are relevant to the Brazilian PCP market.

The 10 industries met the requirements and were therefore selected for the study. Each industry was responsible for presenting a supply chain professional (specialist) for interview, and each professional was interviewed only once, via online meeting, between March and April 2024. Prior contact was made with each of them to confirm their knowledge of the processes covered in the study. The specific area of expertise of the professional within the organizational supply chain varied according to each company’s configuration.

Table 2. List of experts interviewed.

	Area	Position	Level of Education	Degree	Years of Experience	Years in the Company
E1	Production	Management	Master’s degree	Engineering	12	1
E2	Production and operation	Management	Bachelor’s degree	Engineering	5	15
E3	Quality	Management	Bachelor’s degree	Chemistry	21	3
E4	Operation	Senior management	Master’s degree	Engineering	38	2
E5	Production	Coordination	Bachelor’s degree	Administration	5	3
E6	Operation	Senior management	Master’s degree	Chemistry	15	15
E7	Products development	Supervision	Bachelor’s degree	Engineering	8	1
E8	Business management	Senior management	Specialization	Administration	18	7
E9	Production	Management	Specialization	Engineering	29	9
E10	Purchase	Analysis	Bachelor’s degree	Economy	15	12

presents the basic information on the professionals’ presentations.

During the interview, the expert was asked about the severity (S), probability of occurrence (O), and detectability (D) for each of the 19 risk factors identified in the literature. The expert was also given the opportunity to comment and identify any unlisted risks, ensuring that the process is tailored to each organization’s needs, as recommended by the ISO 31000 family of standards.

This method is based on the FMEA tool, which uses the multiplication of the parameters S, O, and D to generate the risk priority number (RPN), and the higher the RPN, the higher the risk treatment priority [70]. FMEA is recommended as strongly applicable by ISO 31010 for the risk analysis and evaluation stages, has a strong history of application in contemporary literature and was selected by the automotive chain as the most suitable for SCRM [10].

Considering that ambiguities when dealing with imprecise data can be reduced through a linguistic evaluation of the attributes [36], a linguistic scale from 1 to 10 was developed for the evaluation of S, O, D. The main aim is to ensure that all experts provide answers that fit within the same interpretative scale, as carried out by De Oliveira et al. [70].

Note that, in the case of parameter D, the scale’s logic is reversed: the lower the company’s risk detection capability, the higher the value, as this increases the risk priority (RPN). To avoid potential confusion among respondents unfamiliar with the tool, the questionnaire was designed using a straightforward and intuitive scale, where respondents were asked to respond only with the percentage representing the company’s risk detection capability. Later, during the data analysis stage of this research, the percentage was converted to the appropriate score, between 1 and 10.

Table 3. Severity, Occurrence and Detection Scale.

Severity (S)		Occurrence (O)		Detection (D)
Interpretation	Score	Interpretation	Score	Interpretation	Score %	Score
Does not cause harm	1	Occurs less than once a year	1	Chance of detecting the problem	10%	10
Very slight losses; disruption of few products curve B-C for less than 1 month	2	Occurs once a year	2	Chance of detecting the problem	20%	9
Minor damage; multiple product disruptions curve B-C for 1–2 months	3	Occurs once every 7–11 months	3	Chance of detecting the problem	30%	8
Moderate losses; 1 curve A product out of stock for more than 1 week; some customer complaints	4	Occurs once every 6 months	4	Chance of detecting the problem	40%	7
Relevant losses; disruption of multiple products, including curve A, for more than 1 month; problems with customers or consumers	5	Occurs once every 4–5 months	5	Chance of detecting the problem	50%	6
Large losses; long disruptions; some customers cannot be served; price and/or quality problems	6	Occurs once every 3 months	6	Chance of detecting the problem	60%	5
Huge losses; sharp drop in sales; many complaints from customers and consumers; serious quality problems	7	Occurs once every 2 months	7	Chance of detecting the problem	70%	4
Extremely large losses; lawsuits, recalls, loss of customers and reputation on a large scale	8	Occurs once a month	8	Chance of detecting the problem	80%	3
Irreparable damage, in the order of millions	9	Occurs a few times (2–3) per month	9	Chance of detecting the problem	90%	2
Company bankruptcy	10	Occurs several times (>4) per month	10	Chance of detecting the problem	100%	1

details the scale.

The RPN is appropriate for an individualized risk assessment within each company’s internal context, as it is highly applicable to risk assessment [69] and widely used in the literature and industrial practice [70,71,72]. For the calculation of the RPN of a risk factor, any combination of S, O, and D is possible, since the three parameters are independent. In Table 3, for example, it can be observed that the lowest possible RPN is 1, resulting from the multiplication of S = 1, O = 1, and D = 1. This would represent a very low level of risk, which would not require efforts on the part of the company. It makes sense that this risk factor would simply be accepted as part of day-to-day operations.

On the other hand, the highest possible RPN is 1000, resulting from the multiplication of S = 10, O = 10, and D = 10. This would represent a very high level of risk, which would require prioritization of treatment by the company. It makes sense that this risk factor should be addressed with a robust and timely action plan developed by a multidisciplinary team; that it should be constantly monitored; and that it should be reported to top management.

Therefore, calculating the RPN for each of the 10 industries fulfills objective O1 of this research, the results of which are presented in Section 4.1 (Risk Assessment). However, the individual RPN alone does not fulfill objective O2, which is to present an aggregated view of the 10 industries regarding the risks in the PCP sector.

It would also not be possible to calculate an average RPN from the obtained set, since the values of S, O, and D are assigned based on the experts’ perceptions. After all, as widely discussed in the literature, the validity of calculating means and parametric statistical methods of human opinions derived from Likert-type scales is controversial and questionable, as is the classification of Likert-type scales as ordinal or interval [73,74,75]. It is not the purpose of this study to delve into this discussion but rather to enable the analysis of the problem and propose a solution with the necessary robustness, without incurring controversies and possible methodological flaws.

Therefore, we used the multicriteria decision-making method Gray Relational Analysis (GRA). Pointing out which multicriteria method is most appropriate for a given decision-making problem is neither easy nor guaranteed, since an optimal alternative may not exist. However, we chose the GRA method because (i) it is a method for aggregating qualitative and quantitative data and providing a ranking as the main result, which is our goal; (ii) it has been proven simple and straightforward in calculations and prioritization [76]; (iii) it has been proven efficient in dealing with the uncertainties and subjectivities of human judgment [36,77,78]. The calculation structure of GRA is quite similar to TOPSIS. However, in a comparative study by Kuo et al. [76], the GRA method achieved more consistent performance than TOPSIS. The AHP method, on the other hand, works with a different structure (choosing an alternative by pairwise comparison) and would not fit the needs of our study.

The calculations were developed according to the procedure outlined by Kuo et al. [76], which is the most cited article in WoS on GRA. Each value of S, O, and D was considered a decision attribute, and the risk factors were considered alternatives. Thus, the GRA method consists of identifying the optimal performance standard among the alternatives, according to the objective of maximizing or minimizing each attribute. After a series of normalizations, the final result is a ranking of the alternatives, determined by the “distance” (gray relational coefficient) of each alternative to the standard [76]. This generated the aggregate risk ranking of the PCP industry, fulfilling objective O2 of this research. The results are presented in Section 4.2 (Risk ranking).

4. Results

4.1. Risk Assessment

As described in Section 3 (Materials and Methods), the first step of this study was to use a literature review to identify 19 supply risks in the PCP industry.

Table 4. Supply risk factors.

Reference	Risk #	Supply Risk Fator
[17]	1	Inability to meet quality requirements
	2	Inability to meet changes in demand
	3	Inability to meet delivery requirements
	4	Inability to offer competitive prices
	5	Inability to increase production
	6	Supplier bankruptcy
	7	Single supplier
	8	Supplier dependence
	9	Responsiveness of alternative suppliers
	10	Import issues (global supplier)
	11	Technological disadvantage compared to competitors
	12	Lack of integration with suppliers
	13	Lack of visibility over suppliers
[24,32,37]	14	Indirect supplier failures
[6,31]	15	Natural and social disasters in suppliers
[54,55,58]	16	Sustainability and reputation risks in suppliers
[7,11]	17	Malicious actions in supplier management
[30]	18	Hacker attacks
[13,59,60,61]	19	Product safety (consumer health)

displays the identified risk factors.

The second step of our methodological procedure was to conduct structured interviews with supply chain experts from 10 PCP companies in Brazil, based on the FMEA risk management technique, to analyze the identified risk factors. The results are shown in

Table 5. Analysis and evaluation of risk factors by RPN.

	E1				E2				E3				E4				E5				E6				E7				E8				E9				E10
Risco	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN	S	O	D	RPN
A1	5	5	1	25	8	1	1	8	8	3	3	72	6	4	3	72	4	2	2	16	8	1	2	16	4	2	6	48	10	1	1	10	7	1	1	7	5	3	6	90
A2	7	7	6	294	7	1	6	42	6	2	3	36	8	5	7	280	5	4	1	20	7	2	5	70	6	1	3	18	6	1	1	6	6	2	2	24	5	3	8	120
A3	5	8	7	280	7	1	1	7	9	7	3	189	6	5	6	180	5	4	3	60	4	1	3	12	6	3	6	108	5	1	1	5	5	2	2	20	6	3	8	144
A4	2	3	5	30	5	2	6	60	8	2	3	48	4	6	4	96	2	8	1	16	3	5	2	30	5	5	3	75	5	1	1	5	7	3	2	42	5	2	7	70
A5	8	6	4	192	8	1	1	8	8	2	3	48	5	3	7	105	6	4	4	96	8	1	2	16	6	5	2	60	7	1	1	7	7	2	2	28	6	2	8	96
A6	8	2	3	48	5	1	3	15	9	1	2	18	8	1	9	72	6	1	2	12	9	1	2	18	5	1	8	40	10	1	1	10	7	2	3	42	7	1	8	56
A7	9	2	2	36	4	1	1	4	9	1	2	18	8	5	2	80	7	5	3	105	2	7	1	14	3	1	6	18	1	10	1	10	8	2	1	16	7	1	7	49
A8	5	7	3	105	5	1	2	10	9	1	2	18	6	3	4	72	8	2	2	32	8	1	1	8	6	2	5	60	1	10	1	10	6	2	2	24	7	3	8	168
A9	5	6	3	90	8	1	1	8	8	1	2	16	5	2	4	40	8	3	4	96	3	1	6	18	4	2	4	32	5	2	1	10	8	1	2	16	4	2	7	56
A10	9	10	2	180	5	1	1	5	8	2	2	32	7	3	9	189	8	2	4	64	4	3	4	48	6	2	5	60	7	4	1	28	7	2	3	42	1	1	1	1
A11	7	6	4	168	5	1	1	5	7	2	5	70	5	3	8	120	2	1	1	2	1	1	9	9	7	4	9	252	5	3	1	15	5	2	3	30	5	3	8	120
A12	5	6	3	90	8	1	1	8	8	2	3	48	7	1	7	49	3	2	4	24	5	1	6	30	4	2	6	48	6	1	1	6	7	2	2	28	8	1	2	16
A13	8	5	6	240	4	1	3	12	6	10	10	600	5	7	8	280	3	2	4	24	8	1	4	32	6	3	5	90	8	1	1	8	6	2	2	24	6	3	6	108
A14	8	10	9	720	8	2	6	96	6	2	10	120	5	2	10	100	4	3	5	60	4	2	9	72	5	1	10	50	8	3	5	120	7	2	4	56	8	3	8	192
A15	8	3	9	216	5	1	1	5	7	1	3	21	7	3	9	189	6	1	1	6	8	2	10	160	2	1	10	20	8	1	8	64	6	2	2	24	8	1	10	80
A16	7	4	9	252	7	1	6	42	7	1	3	21	8	2	9	144	5	1	3	15	2	2	10	40	1	1	10	10	9	1	8	72	6	2	2	24	9	1	8	72
A17	8	1	3	24	7	1	1	7	8	1	3	24	7	1	8	56	6	1	2	12	5	1	8	40	3	3	10	90	7	1	8	56	8	1	1	8	8	1	2	16
A18	8	3	3	72	9	1	1	9	8	1	3	24	7	2	10	140	9	2	2	36	5	1	4	20	5	1	10	50	6	3	4	72	8	1	1	8	8	1	10	80
A19	10	2	2	40	8	1	1	8	7	1	3	21	8	1	4	32	8	1	2	16	9	1	3	27	8	1	1	8	10	1	1	10	10	1	1	10	9	1	3	27

, including the RPN calculation. The higher the RPN, the higher the risk treatment priority [70]. The risk factors were labeled A1 to A19, in the same order they appear in Table 4. In the case of parameter D, as already demonstrated in Section 3 (Materials and Methods), it was necessary to perform a scale conversion between the percentage responded by the expert and the appropriate score.

The RPN calculation corresponds to the risk evaluation step in the ISO 31000 standard process. For example, company E1 evaluated A14 (indirect supplier failure) as its main risk factor, as it has the highest RPN (720). A14 is also perceived as the main risk factor by companies E2, E8, E9, and E10. This result is primarily due to the low ability to detect indirect supplier failures, as evidenced by the high values assigned to parameter D by these companies.

To segment each company’s most relevant risks, we defined the term “prioritized risks” as the set of a company’s four main risk factors—the four risk factors with the highest RPN. This definition of four positions was based on the Pareto criterion (20% of the elements account for 80% of the data), considering that 20% of the 19 risk factors are four risk factors, which would then account for approximately 80% of the company’s total risks. For example, company E1’s prioritized risks are A14, A2, A3, and A16.

Next, based on the data in Table 5, we constructed a graph to demonstrate the prioritized risks and their prioritization relationships across companies. As shown in Figure 2, each gray node represents a risk factor, and each white node represents a company interviewed. Ties between nodes indicate that the risk factor was prioritized by the company, with a brightly colored tie representing the first position, while a light-colored tie represents positions 2, 3, or 4. Risk factors A12 and A19 were not prioritized by any company, so they are not included in the graph.

From the graph, we can conclude that risk A14 (indirect supplier failures) was prioritized by 7 companies: E1, E2, E3, E6, E8, E9 and E10, in which 5 were in first place (E1, E2, E8, E9, E10). The other risks that were prioritized most often are: A2 (inability to meet changes in demand), 5 companies, 1 first place; A3 (inability to meet delivery requirements) and A10 (import problems), both 4 companies, 0 first places; A13 (lack of visibility into suppliers), 3 companies, 2 first places; A15 (natural and social disasters at suppliers), 3 companies, 1 first place; and A16 (sustainability and reputation risks at suppliers), 3 companies, 0 first places. All of these risks (and no other) were prioritized by at least 30% of the companies. Note that A2 and A13 tied for first place with company E4, which is why E4 has two strong colored ties in the graph.

During the interviews, we allowed experts to add any relevant risk factors for their company that were not included in this study. However, all experts chose not to add new risks, as they considered the risk list proposed in this study to be adequate and meet their company’s objectives. Therefore, the risk assessment presented in this subsection concludes step 2 of our methodological procedure and meets objective O1 of this research.

4.2. Risk Ranking

In the third step of this study, the GRA method was applied to aggregate expert opinions and achieve objective O2, as the RPN only assesses each company’s risks independently. In constructing the initial matrix of the problem, the risk factors were considered alternatives (rows), and the parameters S, O, and D analyzed by the experts were considered attributes (columns). All attributes have a maximization objective. After all, the aim is to identify the most damaging risks for the sector, and the higher the values associated with S, O, and D, the worse the scenario for the company, as is the case with the RPN. The calculation report, developed according to the procedure of Kuo et al. [76], is as follows.

(I) Use the initial matrix as input and generate the normalized matrix with Equation (1). Consider that: y_ij = each element of the initial matrix. The normalized matrix can be found in Appendix A.

$$x_{ij}={\displaystyle \frac{y_{ij}-Min\left(y_j\right)}{Max\left(y_j\right)-Min\left(y_j\right)}}$$

(1)

(II) Use the normalized matrix as input and generate the coefficient matrix with Equation (2). Consider that: x_rj = highest value of each column; Δij = | x_ij – x_rj |; Δmin = lowest Δij; Δmax = highest Δij; ζ ε [0, 1]. The coefficient matrix can be found in Appendix A.

$${\gamma }_{ij}={\displaystyle \frac{∆min+\mathsf{\zeta }∆\mathrm{m}\mathrm{a}\mathrm{x}}{∆ij+\mathsf{\zeta }∆\mathrm{m}\mathrm{a}\mathrm{x}}}$$

(2)

(III) Use the coefficient matrix as input and generate the gray relationship degrees with Equation (3).

$$\mathsf{\Gamma }\mathrm{i}={\sum }_{j=1}^n{w}_j{\gamma }_j$$

(3)

It can be observed that:

(i)

In order to calculate the coefficient matrix, ζ = 0.5 was adopted, which is the value usually attributed to the distinction coefficient [77]. The value of ζ can be arbitrated by the decision maker, and its variation causes differences in the distances between the alternatives, but does not change the final ranking [76].

(ii)

In calculating the degree of gray relationship, equal weights wj were used. That is, wj = 1/30, as these are normalized weights.

The gray relationship degree concludes the application of the GRA. The higher the gray relationship degree of an alternative, the higher its ranking [36,76,77,78]. Thus,

Table 6. Aggregate risk ranking.

Ranking	Gray Rel. Degree	Risk Factor	Description
1	0.675	A14	Indirect supplier failures
2	0.580	A16	Sustainability and reputation risks in suppliers
3	0.556	A15	Natural and social disasters in suppliers
4	0.553	A13	Lack of visibility over suppliers
5	0.537	A18	Hacker attacks
6	0.533	A4	Inability to offer competitive prices
7	0.531	A19	Product safety (consumer health)
8	0.528	A6	Supplier bankruptcy
9	0.523	A2	Inability to meet changes in demand
10	0.517	A3	Inability to meet delivery requirements
11	0.514	A7	Single supplier
12	0.513	A8	Supplier dependence
13	0.511	A5	Inability to increase production
14	0.498	A10	Import issues (global supplier)
15	0.498	A17	Malicious actions in supplier management
16	0.497	A11	Technological disadvantage compared to competitors
17	0.475	A1	Inability to meet quality requirements
18	0.463	A12	Lack of integration with suppliers
19	0.455	A9	Responsiveness of alternative suppliers

shows the aggregate risk ranking of the PCP industrial sector in Brazil, based on the perception of specialist supply chain managers in the sector.

Therefore, it can be concluded that the risks prioritized by PCP companies are: A14 (indirect supplier failure), A16 (supplier sustainability and reputation risks), A15 (supplier natural and social disasters), and A13 (lack of supplier visibility). Comparing this result with the individual PCP results shown in Figure 2, it can be seen that all four risks prioritized by the aggregated view of the sector are also among the risks prioritized most often in the individual results—they were prioritized by at least 30% of the companies.

5. Discussion

Several authors claim that empirical studies on SCRM in the PCP industry are scarce [12,13,18,19]. We corroborated this assertion with a literature search, as shown in Table 1 and throughout Section 3 (Materials and methods). No articles were identified that apply any systematized process for risk management, which highlights the research gap that this study addresses. Nor were any references to the ISO 31000 standard in the context of the PCP industry identified, which contributes to the innovative nature of this research.

By analyzing the results of our empirical study, we can see that the application of GRA enabled a deeper aggregated view than discretized data could offer. The graph in Figure 2 shows the risks prioritized by each company in a discretized manner—that is, which companies ranked most frequently among the top four. This information is an indication of the most relevant risks for the PCP sector, according to the judgment of the experts at the companies studied.

However, managers and researchers guided solely by this indicator could reach incomplete conclusions. For example, the GRA results indicate that the second-highest priority risk in the sector is A16 (sustainability and reputation among suppliers). This means that, despite not being selected as the first risk by any company, A16 (which was prioritized by three companies) presented stable performance, consistently remaining close to the benchmark (highest score) for the S, O, and D parameters, even when other risks ranked higher. In other words, there is a high level of agreement among companies that A16 is a significant risk.

The same is not true, for example, of A10 (import problems). Although it was prioritized by four companies with global suppliers at risk, the other six companies plan their supply chains to minimize dependence on imported raw materials. Overall, the frequency of occurrence of this risk was low, consistently far from the benchmark for parameter O. Therefore, in the aggregated view of the sector, A10 ranked only 14th.

This type of hidden information in the data could be revealed through GRA, as the method analyzes the root cause of the problem (the relationships between the S, O, and D parameters), not just the discretized result (the number of times the risk was prioritized). This demonstrates the power of GRA to aggregate data in comparative assessments and offer decision support, which is consistent with several points of view presented in the literature [36,76,77,78].

Therefore, the risk factor considered most relevant by the PCP sector was indirect supplier failure (A14), which ranked first in the risk ranking, mainly due to its low detection capacity. A14 was also the most frequently prioritized factor (70% of companies) and the factor that ranked first most often (50% of companies). Overall, this result reflects a positive aspect: companies have already developed a mature understanding of supply management as a multi-tier chain, which does not depend solely on direct suppliers. However, it also reflects a negative aspect: the current capacity for detecting multi-tier failures is not satisfactory and must be improved through action plans.

In this sense, the low detection capacity is a cause for concern and one of the most important findings of this work, which requires due attention from PCP industries in Brazil. Although the relationship is stronger with direct suppliers, it is well established that every organization also bears some of the risks of indirect suppliers [6,42]. Thus, industries depend on the ability of their direct suppliers to demonstrate resilience to previous levels of the supply chain [1].

However, this responsibility should not fall entirely on suppliers. An example can be seen in the automotive industry: a lack of visibility into the operational risks of indirect suppliers led Toyota to a scenario of disruptions and widespread shortages after the 2011 Japanese earthquake. As a result, the company focused its efforts on mapping its supply chain prior to primary suppliers, despite this being a costly task [32].

The lessons learned can be applied to the Brazilian PCP industry. As a managerial extension of this work, we recommend that a cosmetics company, when selecting a particular company as a supplier, learn about that company’s supply chain and apply a quantitative selection model that considers the existing risk profiles within that chain. This recommendation is supported in the literature, for example, by Ghadge et al. [49]. We also recommend that the company develop a map of its existing network of indirect suppliers and understand their correlations. As an initial step in this task, we recommend that the company seek information from direct suppliers so that it can begin to establish relationships with the previous levels of the chain, as also supported by Durach et al. [37] and Diego and Montes-Sancho [41].

There is also a clearer path to mitigating indirect supplier risks, which is through improving the operations and structure of direct suppliers [2]. For this improvement to occur, in practice, the PCP industry itself must consider taking proactive actions. One such action is offering training to supplier teams [33]. At a more advanced stage of maturity, supplier training can be carried out in partnership with competing industries in an effort toward cooperative competition, as has been observed in the automotive industry [37,79].

Another recommended point for supplier training is the importance of the Business Continuity Plan (BCP). The example of best practices comes from a benchmark within the FMCG segment itself, of which the PCP industry is a part: according to a case study by Pellegrino et al. [80], a leading international company points out that a robust and ready-to-implement BCP is one of its main risk mitigation strategies. This company also follows the principle of educating its suppliers about business needs and risks.

After indirect supplier failure, the second prioritized risk factor in the ranking was sustainability and supplier reputation (A16), as already mentioned. This is an interesting finding, demonstrating that companies are paying attention to and giving relevance to current trends. The pressure for compliance extends to an industry’s suppliers; if the chain fails to meet the triple bottom line, the industry may suffer adverse stakeholder reactions, consumer boycotts, and brand damage [54,55]. The results corroborate the view found in the literature that this concern is especially relevant in the cosmetics sector, as highlighted in recent studies such as Bom et al. [13] and Acerbi et al. [59].

Other industries also present concerns about sustainability, including in the direct and indirect supplier chain, as pointed out by Zimmer et al. [54] in the automotive industry. However, an automobile is not composed of botanical essences. Since the image of cosmetic products is intrinsically tied to nature (due to the very components and active ingredients of the products), the end consumer actively desires these products to be “natural” as a quality requirement.

As a logical consequence, the contemporary PCP consumer also demands that these products significantly respect the environment throughout their production chain, from the extraction of raw materials to commercialization. Therefore, although they constitute a global trend, sustainability risks manifest in a unique way in the PCP segment. This view of risks, as demonstrated, was successfully absorbed by the companies participating in this study, which represents an important insight for the field of organizational sustainability and should serve as guidance for PCP companies on a global scale.

Furthermore, an interesting question can be raised from these results. Due to the unique importance of sustainability perceived by PCP industries (and the difficulty in detecting these problems), the high level of risk in indirect suppliers (A14, #1) and visibility over suppliers (A13, #4) may also be related to sustainability. It is possible that the industries analyzed consider that, in addition to operational risks, the limited knowledge about indirect suppliers may conceal potential environmental failures of these distant partners, or even that the lack of visibility may compromise the assessment of the supplier’s sustainable practices. However, this line of reasoning requires further investigation and may serve as a direction for future research.

The third-highest-ranked risk factor was natural and social disasters among suppliers (A15). The experts’ perception corroborates the common view in the literature that catastrophic risks generally have a high impact and are difficult to manage [17]. This type of risk is shared by companies across all sectors. Therefore, several organizations have considered selecting suppliers not located in regions prone to natural disasters as a measure to mitigate this risk [6,31].

The fourth-ranked, and last prioritized, risk factor was lack of visibility over suppliers (A13). However, the risk factor of lack of integration with suppliers (A12) received a low ranking (18th). This represents a worrying flaw in the industry’s perception, as there is a lack of awareness that integration brings visibility; if visibility is not satisfactory, it is recommended that integration be reviewed and strengthened. This indicates a cognitive bias that should be addressed by industries and highlights the importance of a training program in SCRM. This is also one of the most important findings of this research and corroborates the studies by Brito and Miguel [18] and Romano et al. [19], which point to low integration in the Brazilian PCP chain. Supply chain integration is unanimously viewed in the literature as a key strategy for SCRM performance [33,37,40,79].

On the other hand, it can be deduced that the analyzed industries have well-established processes and rely on their quality policies, quality control methods, and supplier approval, which serve as control devices in risk management. This is reflected in the low aggregate concern with the risk factors of alternative supplier responsiveness (A9) and inability to meet quality requirements (A1), which were ranked last and second-to-last, respectively. By way of comparison, the study by Thun and Hoenig [31] points out that quality risk has a high probability of occurrence in the automotive industry; in the PCP industry, however, this probability is considered low (O score less than or equal to 3 in 80% of companies).

The reason for this finding is directly linked to another unique characteristic of the PCP industry, which is the risk to consumer health due to exposure to the chemical compounds in the products (A19, 7th). This risk was analyzed with high severity (S greater than or equal to 8 in 90%), but it did not enter the list of prioritized risks due to low probability (O = 1 in 90%) and high detectability (D less than or equal to 3 in 90%). It makes sense that an industry attuned to this risk factor can also reduce the probability of quality deviations in raw materials through a strict supplier approval process. It also makes sense that most of the articles identified during the literature review phase of this research, as explained in Section 3 (Materials and Methods), focus on pharmaceutical chemistry and botany.

Obviously, we do not intend to suggest that product safety is not a critical concern in other industrial sectors. Product safety risk, when mentioned and interpreted in this generic way, is relevant across various sectors. However, the risk to consumer health, caused by exposure to the product’s very basic composition (its chemical formulation), is a particularity of the PCP industry. This risk factor is intensified by the constant pressure for experimentation aimed at developing new formulas, as noted in the literature [18,60,63]. For this reason, it is recommended that the initial phase of product development already involves suppliers. In this regard, authors point out three essential practical steps: selecting raw materials from suppliers, testing the chemical formulation for human use, and conducting risk assessments [61,64].

Another typical characteristic of the PCP industry is rapid, widespread, and trend-based consumption, which can cause sudden fluctuations in demand with greater intensity than in other sectors. A car or a technological device, for example, does not have an extensive number of competitors, is not available in every retail outlet, and does not have the turnover volume of a PCP product.

Therefore, it is essential that suppliers are able to meet the requirements of the PCP industry, such as changes in demand (A2, 9th), delivery requirements (A3, 10th), and increased production (A5, 13th), as these requirements are directly linked to end-consumer behavior. Our results show that these risks are considered relevant but are reasonably under control, reflecting well-established multisourcing and supplier approval processes in the sector’s industries.

6. Conclusions

The 19 supply risk factors identified in the literature, resulting from step 1 of this study, were considered adequate and sufficient by the experts to represent the real needs of their companies. As a result of the risk analysis and assessment developed in step 2, we found that indirect supplier failure was prioritized by 70% of the companies studied. Inability to meet changes in demand, inability to meet delivery requirements, import problems, lack of visibility into suppliers, natural/social disasters at suppliers, and sustainability/reputational risks at suppliers were prioritized by at least 30% of the companies.

When considering the experts’ assessments in aggregate in step 3 of this research, indirect supplier failure was confirmed as the most relevant risk in the sector. Sustainability/reputation risks, natural/social disasters, and lack of visibility round out the prioritized risks in the ranking. Prioritized risks, according to the Pareto criterion, account for approximately 80% of the sector’s total risks. The results of this study imply that the Brazilian PCP industry, considering the companies analyzed, needs to pay greater attention to mapping its indirect suppliers and integrating its supply chain.

Therefore, the overall objective of this research was achieved: to identify, analyze and evaluate the main supply risks faced by the PCP industry. Based on the results of the empirical multi-case study and supported by SCRM guidelines, we were also able to generate recommendations for improvement regarding the risk management practices adopted by organizations in the sector.

Thus, specific objective O1 of this research was met: to apply a systematic process for assessing supply chain risks in the PCP industry. We obtained access to investigate actual operations management practices in large PCP industries in Brazil and applied the systematic risk assessment process recommended by the ISO 31000 family of standards, which has proven highly effective for identifying, analyzing, and evaluating supply risks. Objective O2 was also met: to develop an aggregated ranking of supply chain risks in the PCP industry. We applied GRA to aggregate the judgments of industry supply chain experts and provide a comprehensive overview of the main supply risks in the PCP industry.

In this way, we contribute to the body of SCRM knowledge in an exploratory manner by shedding light on the risk landscape of an industrial sector little investigated in the literature. Our most innovative theoretical contributions were identifying risks particular to the PCP industry and demonstrating how the industry assesses these risks, such as the demand for “natural” products, consumer health, large production volumes, and easy product substitutability. Some previous research touches on the topic, but to the best of our knowledge, this is the first article to carry out a risk assessment and risk ranking in the PCP industry. Furthermore, we investigated the integration of these industries within the supply chain and pointed out the need for mapping indirect suppliers, an aspect that still receives little attention in the literature.

This work also presents a second substantial theoretical contribution related to the processes used for risk assessment. We demonstrate the joint application of ISO 31000, FMEA, and GRA for the evaluation of operational risks, which represents a theoretical innovation compared to the existing literature. In addition, we corroborate the applicability of the GRA method to aggregate subjective judgments in a risk management context. We also respond to calls from several authors for more empirical studies in SCRM, with the participation of managers from major industries in the Brazilian PCP market.

From a practical perspective, managers will find in this work a detailed and feasible procedure for implementing risk management in their companies, as well as a relevant discussion with recommendations on best practices in SCRM, which can be leveraged and adapted to each organization’s context. Managers can also use this work to understand the main industrial risks in the supply chain and compare the vision presented here with their companies’ current perspective. This can optimize corporate efforts to prevent or mitigate these risks, such as mapping indirect suppliers.

Specifically, companies in the PCP sector can use this study to understand the current state of the supply chain risk landscape. Especially in Brazil, where SCRM is still in its infancy, managers can use this study as a starting point to expand their knowledge on the topic and incorporate SCRM into their corporate practices, for example, by implementing a risk management program for suppliers.

Regarding limitations, this research does not aim to conduct a market-based study of the most relevant PCP industries in Brazil, nor does it perform a probabilistic sampling by mapping all existing industries in the country. Therefore, the results are not statistically representative of the entire sector. However, the rigorous criteria and structured sequence of steps adopted in this study ensure that our contributions are relevant to the PCP industry and the SCRM field on a global scale, both theoretically and practically.

As our sample is limited to the Brazilian market, the results cannot be generalized to other markets. Industrial parks in different regions of the world may present different stages of maturity regarding SCRM. Experts may also have varying perceptions of risks, influenced by local, technical, and cultural factors, which could lead to assessments different from those presented in this work.

Therefore, for future research, it is recommended to expand to other regions. The methodological design used in this study can be applied to evaluate risks and develop a risk ranking in the European PCP industry, for example, and compare them with the results of this research. The European market, estimated at around 78 billion euros, is highly relevant for the PCP segment. Thus, this research topic would benefit from cross-referencing information and cross-cultural comparative analysis.

Another possible direction for future research is the assessment of risks using dynamic methods, such as Bayesian networks. The main benefit of this type of approach is to delineate the evolution of risks over time, which would be relevant for adding the temporal dimension to the discussions raised in this study and for expanding the understanding of risk scenarios faced by the PCP industry. Like FMEA, Bayesian networks are a tool recommended by the ISO 31010 standard for application in the risk management process.

We also suggest that possible research approaches include investigating how these same companies implement risk mitigation strategies related to this study; investigating which techniques are most appropriate for implementing SCRM; investigating the industry’s state of risk management maturity; and delving into the relations between supplier visibility and sustainability, as discussed. These developments would be relevant in order to continue exploring the topic of SCRM in the PCP industry, aimed at increasing knowledge about the practical and technical aspects of risk management, with the support of empirical studies. Researchers could also develop risk rankings using other multicriteria decision-making methods, such as TOPSIS, and compare the results with this study or replicate our methodological procedure for risk assessment in other industrial sectors.