InTechOpen uses cookies to offer you the best online experience. By continuing to use our site, you agree to our Privacy Policy.

Engineering » Control Engineering » "Quality Control and Assurance - An Ancient Greek Term Re-Mastered", book edited by Leo D. Kounis, ISBN 978-953-51-2922-6, Print ISBN 978-953-51-2921-9, Published: February 22, 2017 under CC BY 3.0 license. © The Author(s).

Chapter 6

Exploring the Relationship of Supply Chain Risk Management to Quality Management

By Tyler Florio
DOI: 10.5772/65847

Article top

Exploring the Relationship of Supply Chain Risk Management to Quality Management

Tyler Florio
Show details


This research explores the relationship between an organization's supply chain risk management (SCRM) maturity and quality maturity. SCRM maturity was measured using a survey questionnaire sent to organizations in the USA. Quality maturity was assessed via ISO 9001:2008 certification status as well as through a survey questionnaire of total quality management (TQM) practices for organizations in the USA. The results suggest that ISO 9001:2008 is not related to SCRM maturity, while TQM maturity is related to SCRM maturity. Organizations with more mature TQM programs appear to also have more mature SCRM programs.

Keywords: quality management, supply chain management, risk management

1. Introduction

Maintaining the integrity of a supply chain through risk mitigation is crucial to smooth and efficient business operations. However, as supply chains become more global in scope, the potential for risk events occurring increases. For this reason, supply chain risk management has gained substantial interest in recent years among academics. Preliminary research indicates that there are no established standards for certifying risk management capability of organizations in the supply chain. In relation to standards and guidelines, the International Organization for Standardization (ISO) has emerged as a body that seeks to establish and promote best business practices through certifications that organizations can earn. These certifications signal to potential partners that a level of capability has been attained by the organization in a specific area of interest, such as quality management.

Common certifications related to business include, but are not limited to: ISO 9001, 11000, 14001, and 22000. Most of these involve quality and safety, but none certify for supply chain risk management specifically. The closest standard to achieving this is the ISO 31000 risk management principles and guidelines. However, a certification is not available. Therefore, the rigor of a certification is absent from this standard. In order to be awarded an ISO certification, an organization must submit an application to ISO and undergo a rigorous six‐stage evaluation process based on various criteria. Other certification bodies do exist that attempt to augment risk management activities in the supply chain. One standard that at least implies an organizational ability to manage risk is Customs‐Trade Partnership Against Terrorism (C‐TPAT). It is a voluntary program that focuses on improving the security of private companies’ supply chains with respect to terrorism. However, it addresses only one particular type of risk event related to disruptions produced by actual or potential terrorist threats and does not address an organization's overall risk management maturity. Nonetheless, organizational certification by ISO 9001 in particular may be able to signal risk management capabilities simply by virtue of the attention the standards bring to improving process management through the principles of total quality management (TQM). ISO 9001 was revised in 2000 to incorporate the principles of TQM into its certification criteria. Therefore, by extension, TQM maturity, in general, may also provide a signal of supply chain risk management maturity.

A large number of organizations, covering a wide variety of industries, are ISO 9001 certified. Because quality standards and certifications are intended to unify and improve business practices as a whole, the following question arises: are companies that have more mature quality systems, and certified to ISO 9001 in particular, better equipped to manage risk? Researching companies who have quality management programs and how their processes have improved since implementing them may shed light on protecting a company's assets, operations, and its structure from adverse risk events. This research assists in confirming the following statement: A company’s use of a TQM system, and particularly through ISO 9001 certification, ensures a high level of risk maturity as compared to that of companies that do not implement a TQM system and/or quality certifications.

In the next section, the literature is reviewed and research questions stated. This is followed by the research methodology, which includes a description of the data. Results are then presented. The findings of this research are subsequently discussed and conclusions drawn. This is followed by a discussion of areas for further study and limitations to the research.

2. Literature review

A study involving supply chain risk starts with a classification of all potential risks. These typically include the following: supply risk, demand risk, process risk, technology risk, logistics risk, information risk, and environment risk [1, 2]. The current research focuses on supply and demand risks because these present supply chain managers with significant challenges due to the severity of the impact and difficulty of effective mitigation. Van Miegham [3] characterizes the loss of a key supplier as having a high effect for aggregate loss severity and a moderate probability of occurrence. Further, Chen et al. [4] report that demand risks have a direct negative effect on supply chain performance. The literature also recommends differing approaches to moderating the occurrence of supply or demand disruptions, such as firm innovativeness, process modularity, and interactive complexity reduction [57]. These all relate to the types of activities involved in a quality management strategy that seeks to simplify, standardize, and generally improve products and processes.

As noted, the occurrence of a supply chain risk event can be damaging to any organization no matter where they may be within the supply chain. Technically speaking, risk is defined as the (negative impact to objectives × likelihood of occurrence). Risk management contains four primary steps within its processes. These steps include the following:

  • Risk identification,

  • Qualitative or quantitative assessment,

  • Risk prioritization, and

  • Response planning and risk monitoring.

Within these four steps are the proper responses to various types of risk. The first possible response is to mitigate risk. Mitigating entails performing an action to reduce the impact or likelihood of various risk events. The second possible response is to avoid risk. Avoiding risk entails completely ceasing the various activities that create said risk. The third response is to transfer risk. Transferring risk involves shifting risk to other operational areas of the supply chain that are better equipped to handle risk events. The fourth and final way to manage risk is to accept risk. Risk may be accepted if its consequences do not outweigh the benefits of surrounding the risk that is created [8]. Three common methods of assessing risk are effective, but not unified in their approach.

The first method is the Delphi method. The Delphi method was originally developed in 500 B.C. by Greek prophets [9]. The prophets would hear various people's complaints, develop a response, and allow the people to formulate a revised complaint. This method was revised by the RAND Corporation in the 1950s and followed the Greek's original method. The RAND Corporation's method consisted of surveys, followed by a response, followed by revised surveys based on initial results. This process gave participants a chance to re‐assess criteria and re‐evaluate based on the responses, which provided greater insight to their issues at hand. The main drawback to this method is it is time consuming, because of the analysis of the initial surveys followed by the revisions of the second round of surveys.

The second popular method is Monte Carlo Simulation. This method was developed in the Monte Carlo casinos to gauge risk brought upon by the various gambler's chances of winning. This method focuses on uncertain risk and is assessed by model construction and analysis through computer simulation. The negative aspect of this method occurs, because it requires extensive mathematical prowess and requires significant amount of education to be proficient.

The third method is decision tree analysis. Decision tree analysis utilizes graphical methods to draw correlations to common risks. This method is effective, because it creates a visual image of how various risks are linked, but suffers because of its simplicity [10].

Normally, since avoiding risk is so vital, there should be a series of guidelines in place to facilitate conducting supply chain risk management (SCRM) while supporting total quality management (TQM). Performed literature review indicates that there is no unified series of standards of avoiding risk. Even though most companies have their own emergency preparedness plans in place, a majority of company executives do not review or approve them and only 42% conduct emergency preparedness practices on a regular basis [11]. Companies must learn how to handle diverse amounts of risk such as natural disasters, political unrest, or acts of terrorism. Prior to September 11, 2001, preparedness levels addressing terrorism did not exist.

The World Economic Forum (WEF) has reported that although supply chain risk is an important issue, it is widely mismanaged [12]. Consistent mismanagement of risk across multiple industries might have a ripple effect on global risk which tends to amplify the disruptive impacts of a local risk event with resulting impacts far beyond the corporate sector. The believed cause is companies’ inability to detect these ripples (such as the effects of catastrophes and pandemics on the other side of the world) before they become waves that disrupt their supply chains [13]. Many of these preparedness plans have been found to be inefficient because of lack of communication and collaboration, such as Alabama and Louisiana's responses to Hurricane Katrina [14].

Along with natural disasters and man‐made risk, there is organizational and network risk. Organizational risks include inventory risk, process/operational risk, quality risk, and management risk, while network risks result from interactions between organizations within the supply chain. Agility, flexibility, contingency planning, and preparedness are preferred generic strategies for managing such risks in general [15]. It has been found that larger companies in the private sector are better equipped to individually handle disaster than smaller companies in the public sector [1618]. These small companies simply do not have the resources to develop a proactive approach, so instead they take a more defensive (reactive) approach constituting risk elimination aspects [19]. Performed research indicates a gap between the risk management policies that large companies are capable of implementing and what their smaller counterparts are able to produce. Many have tried to develop supply chain risk management policies linking risk identification, risk assessment, and risk mitigation to risk performance [20]. Academics along with industry leaders see a need to replace traditional and varying risk management techniques for ones that are better designed to handle extreme complexities, unpredictable events, and threats. They have sought to discover a link between vulnerable factors and controllable factors. The Supply Chain Resilience Assessment and Management (SCRAM) framework was developed, but only served to suit the needs of a select few companies [21]. Companies must also have a framework in place to address general risk between inter‐organizational partnering. Once two or more companies become partners, they assume the other's risk in some or a large capacity, as previously mentioned [22]. According to Zhao et al. [23], “…supplier, internal, and customer integration are the most important drivers for schedule attainment, competitive performance, and customer satisfaction, respectively” (p. 115). They find that supply chain risks are negatively related to supply chain integration. Although global integration is crucial and necessary to be competitive, it inherently carries an increased amount of risk.

Performed literature review shows that multiple organizations and companies have tried to institute best practices for mitigating risk. However, there is not one general set standard for how to approach the subject of avoiding or correcting risk in the supply chain. The reason for this variety in practices is possibly because of the variety of industries coupled with the varying ways in which risk can present itself. The food industry will not have the same problems as a metal manufacturing industry. Even within the same industry, companies might not have the same problems. A seafood distributor will have different issues to assess than a fruit producer. These varying sources and types of risk have made it difficult to create guidelines in order to steer companies in the right direction to manage risk in their supply chain. Also, since there is a lack of general guidelines concerning risk management, every industry (even every company) has taken it upon themselves to develop their own guidelines.

The International Standard for Organization (ISO) seeks to remedy the varying levels of supply chain risk preparedness and quality by allowing companies to become universally certified in various ISO certifications to promote a unity of practice.

The steps for ISO certification are as follows:

  • Stage 1: Proposal stage—development of initial proposal of operational standards

  • Stage 2: Preparatory stage—preparing proposal for submission

  • Stage 3: Committee stage—committee review of proposal

  • Stage 4: Enquiry stage—questioning into company operations post‐review

  • Stage 5: Approval stage—approval for ISO certification

  • Stage 6: Publication stage—ISO certification publicized and legitimized

Certifications, such as ISO 9001, and guidelines, such as ISO 31000, are best suited to prepare companies to handle risk (, 1) (, 1). Specifically, ISO 31000 (containing ISO Guide 73:2009 and ISO/IEC 31010:2009) seeks to establish guidelines for risk. ISO 31000 contains within it risk management principles, a framework for risk management, and a process for managing risk. It purports to be applicable to any organization regardless of size or sector and claims to increase the likelihood of improving the identification of opportunities and threats, thereby allowing an organization to more effectively allocate and use resources for risk treatment. ISO 31000 does not allow for certification but can aid with internal and external audits. These guidelines allow preparation for strategic, operational, and management risk and provide insight into the philosophy and practices that an organization might adopt in building an effective risk management system.

The ISO 9001 standards are also closely related to the approach used in quality improvement systems. In fact, the literature reports that there is a relationship between TQM and ISO 9001. TQM principles were incorporated into the ISO 9001 standard in the year 2000, so a significant relationship is likely to exist [24]. Studies have since shown a relationship between ISO 9001 and TQM. Psomas et al. [25] found that ISO 9001 certified companies achieve significant quality improvement through the implementation of the core process management practices characteristic of TQM. Sampaio et al. [26] found that most researchers in this area reason that ISO 9001 and TQM are very similar and should both be implemented in the organization together [2729]. Others suggest that the structure of ISO 9001 can actually aid in the implementation of TQM practices [30]. Therefore, one would expect TQM principles and practices to be present in organizations that have achieved ISO 9001 certification. A few supply chain risk and quality studies do exist. Chapman et al. [31] studied delivery lead time variability and quality management. Tse et al. [32] explored quality and safety problems in the supply chain and introduced a supply chain risk management framework to reduce quality risk. Therefore, the relationship of supply chain risk management to quality management practices has not been widely studied. Based on this review of the literature, the following statements will be assessed empirically:

  1. Organizations that are ISO 9001 certified have more mature risk management systems than organizations that are not ISO 9001 certified.

  2. Organizations that have more mature risk management systems also demonstrate more mature quality management systems.

3. Data and research methodology

Data for this study came from a list of approximately 3000 United States–based organizations, compiled from the 2014 IAAR Directory, ISM‐CV, and CSCMP member lists. These organizations cover varying locations throughout the United States spanning industries such as medical, manufacturing, government, etc. The approach used in this study is a survey questionnaire, conducted via e‐mail, that includes demographic questions and questions specific to quality and risk management practices to gauge the relationship of quality management practices and risk management practices of organizations. The answers to the survey questions are then used to compare the level of risk management between organizations who more effectively use quality improvement practices and those who do not.

The survey was distributed to potential respondents using Qualtrics survey software. The survey components contained questions measuring the respondent's position within the organization, their familiarity with the organization's quality management and risk management practices, the organization's size, industry and position within the supply chain, where and how the organization manages risk, the company's quality management practices, and their ISO 9001 certification status. The answers to most of these questionnaire statements were then ranked with answers on a 1–5 scale (1 being the worst and 5 being the best). These responses were analyzed using SPSS software. Selected items from the survey questionnaire are provided in the Appendix. These statements include the number of responses in each category, as appropriate.

The measurement of quality management practice within organizations was taken from the work of Dellana and Kros [33]. They developed a set of 13 statements that cover the main quality issues in an organization that could be found at any point in the supply chain and also in any type of industry. In their study, these 13 statements were split into two distinct constructs. Based on data from 565 respondents, 8 of the statements were assigned to the construct of internal‐downstream quality (i.e., customer‐related), while the remaining 5 statements were grouped under the construct of external‐upstream quality (i.e., supplier‐related). In their investigation, the internal‐downstream construct was found to be associated with industry class and a measure of supply chain position, while the external‐upstream construct was not. Therefore, in the current research, the measure of quality maturity is limited to the eight statements from Dellana's and Kros's previous work that made up the internal‐downstream construct (ref. question 9 of the Appendix). The measurement of risk management practice in organizations was more challenging. No generally accepted measure of risk management maturity was found in the literature. Therefore, a set of statements was inspired and derived from a number of sources, including the ISO 31000 guidelines [3442]. This resulted in the 15 statements listed in the questionnaire for question 7 of the Appendix.

4. Results

The results of the survey based on SPSS statistical software analysis are as follows. A total of 500 of the approximately 3000 potential respondents reached an active e‐mail account. Of these 500, responses to the questionnaire were received from 40 individuals. Of these 40 responses, 18 respondents indicated their organization as ISO 9001 certified, while 20 responded that their organization was not ISO 9001 certified (two did not respond to the ISO certification question and therefore these two questionnaires were unusable). Analysis of nonresponse bias was performed by comparing the mean score for TQM of early versus late responders. There was no significant difference in the mean score between the two groups (t = 1.40, p = 0.18). However, given the small sample size, a comparison of means is by no means conclusive. Therefore, this study and its findings are considered preliminary and exploratory in nature. It should also be noted that this survey was conducted prior to the issuing of the ISO 9001:2015 standards, which incorporate a focus on risk management. The standards in force at the time of this research were ISO 9001:2008.

A general consideration of the survey responses related to demographics of the individual and organization follows. The job title and level of the respondents was generally varied. However, most of the respondents were at the manager level and above (79%). Most were somewhat to very familiar with their organization's supply chain risk management process (78%), with 38% reporting being very familiar. The overwhelming majority were somewhat to very familiar with their organization's quality management practices (94%), with 53% reporting being very familiar. The organizational size, based on number of employees, also varied quite a lot. Grouping into three categories of small, medium, and large yields relative percentages of 42, 29, and 29%, respectively. About 40% of respondent organizations have a department dedicated to supply chain risk management, while about 32% have each department responsible for assessing supply chain risk related to their particular function. Approximately, 35% are involved in the manufacturing part of the supply chain, while about 38% are involved in distribution. The rest appear to be various services that relate to differing parts of the supply chain. The organizations fall mostly into the general industry categories related to manufacturing (34%) and services (34%). This is followed by transportation/distribution at about 21%. Finally, 47% of respondents reported their organizations are ISO 9001 certified while 53% reported not having ISO 9001 certification.

A factor analysis using principal component analysis was performed on the eight TQM‐related questions to assess whether or not they were consistent with prior research. However, it should be noted that, for the purpose of factor analysis, the present sample did not meet the requirement that minimum sample size be at least 10 times the number of variables per Nunnally [43] (n = 40, <10 × 8 = 80). That said, these 8 statements were already shown in Dellana and Kros's previous study to have met the requirements for factor analysis.

It was found that the eight TQM‐related statements all loaded strongly on a single factor. Metrics related to factor analysis were run. The KMO measure of sampling adequacy (index = 0.863) and Bartlett's test of sphericity (p = 0.0000) were found to be acceptable. Therefore, the results presented herein were very consistent with prior work, which gave support for this research. The model met underlying assumptions (except sample size issues). The reliability of all eight questions together also was very good (Cronbach alpha reliability = 0.93). The TQM maturity variable value used in SPSS analysis was the average score for the eight statements out of a possible score of 5.0. Therefore, a higher average score indicates greater TQM maturity.

SCRM Factor 1 statements
(Questionnaire statements i, k, l, m, n)
SCRM Factor 2 statements
(Questionnaire statements b, d, e, f)
i. We follow the four step process of risk identification, analysis, education, and treatmentb. Risk management is an ad hoc process for us that occurs informally on an as‐needed basis
k. We prioritize risk events based on severity of impact to our organizationd. Our risk management assessment is based on probability analysis of relevant risks
l. We involve our suppliers in identification and mitigation of potential supply chain riskse. Our risk management assessment occurs at least annually
m. We encourage our suppliers to use a structured risk management process (e.g., ISO 31000)f. Risk assessment is a quantitative process for us
n. We work with our customers to identify and mitigate
potential supply chain risks

Table 1.

Results of factor analysis for supply chain risk management (SCRM) measurement.

Because the result was so positive for the TQM measure, factor analysis was also conducted on the supply chain risk management (SCRM) statements using principal components analysis in SPSS. Once again, the sample size requirement of Nunnally was not met in this case, so the analysis is preliminary. The KMO measure of sampling adequacy (index = 0.783) and Bartlett's test of sphericity (p = 0.0000) were found to be acceptable. Two factors were extracted using a varimax rotation and Kaiser normalization. The reliability of the statements in the two SCRM factors held very well with Cronbach's alpha measures of 0.88 and 0.86 for Factor 1 and Factor 2, respectively. The two SCRM factor sets are described in Table 1 and are synonymous with the survey statement designations. Factor 1 seems to describe more so “What” is managed during risk assessment, while Factor 2 seems to describe “How” this risk is assessed and corrected. An overall measure of SCRM combines these two sets of statements for a total of nine statements. In all cases of the risk maturity variables (i.e., SCRM, SCRM1 and SCRM2) the value used in SPSS analysis was the average score for the related statements out of a possible score of 5.0. Therefore, a higher average score indicates greater SCRM maturity.

4.1. Research question 1

The first research question explores whether organizations that are ISO 9001 certified have more mature risk management systems than organizations that are not ISO 9001 certified.

The relationship of ISO certification with SCRM was measured with the dependent variable entered as the respective risk management variables (i.e., SCRM1, SCRM2, and SCRM) using a univariate linear regression in SPSS with ISO 9001 certification as an independent variable. In all cases, the number of employees, supply chain position, and TQM score were also entered as control variables. Because of low frequencies by category, some data consolidation was performed. The number of employees was collapsed into small, medium, and large groups. Supply chain position was generally sorted into manufacturing and distribution and other.

The results of the regression analysis are given in Table 2. Backward removal of variables in SPSS resulted in the ISO 9001 reaching a significance of at best p = 0.064. This was for the case of the SCRM overall. SCRM2 was second best with a significance of p = 0.079. Neither of these make the generally accepted threshold of 0.05 significance level and were, therefore, not included in the final SPSS models. The models were also run with all control variables excluded to determine whether this would make a difference to the result. The outcome was similar to the model that included control variables, with SCRM1 at a significance of p = 0.806, SCRM2 at a significance of p = 0.061, and SCRM at a significance p = 0.248. Therefore, the evidence is weak for a conclusion that ISO 9001 certified organizations have more mature risk management systems than non‐ISO 9001 certified organizations.

A breakdown by industry type had been a goal of this research, but the sample size was too small to accommodate a rigorous statistical analysis. However, it is worth noting that the split of ISO and non‐ISO certified organizations was quite different between organizations classified as manufacturing (9 certified, 4 noncertified) and those classified as service (2 certified and 11 noncertified). Distribution‐related organizations were more evenly split (five certified and three noncertified). Table 3 shows a breakdown of the scores for SCRM and TQM by major industry type. The scores for SCRM seemed to favor the service organization over manufacturing, especially for SCRM2. Although ISO 9001 does not clearly differentiate regarding SCRM maturity, there is at least the implication in this research that industry type may be a differentiator. A similar analysis could be conducted by supply chain position. It might be expected that organizations further downstream in the supply chain would exhibit greater SCRM maturity than those upstream given the lengthening of the supply chain heading downstream, which increases the chance of risk event occurrence that disrupts the supply chain.

  • SC position

  • TQM

  • ISO 9001

  • Number employees

  • SC position

  • TQM

  • ISO 9001

  • Number employees

  • SC position

  • TQM

  • ISO 9001

  • Number employees


Table 2.

Linear regression analysis results for SCRM variables versus ISO 9001.

Score categoryManufacturing (n = 13)Service (n = 13)Distribution (n = 8)

Table 3.

Mean SCRM and TQM scores by general industry type.

4.2. Research question 2

The second research question explores whether organizations that have more mature supply chain risk management systems also demonstrate more mature quality management systems. The simple linear regression analysis of Table 2 incorporates the TQM score as an independent variable in the analysis of relationships with SCRM variables. TQM was found to be strongly significantly related to SCRM1 (p < 0.000) and SCRM overall (p = 0.002). Both of these met the generally accepted threshold of 0.05 significance level and were, therefore, included in the final SPSS models. SCRM Factor 1 statements tend to describe the actual risk management process details, outlining the process steps and who is involved. SCRM Factor 2 statements are more general and have more to do with the timing and nature of the process. The models were also run for SCRM variables with TQM as the only independent variable in each case to determine whether this would make a difference to the result. The outcome was similar to the model that included control variables with SCRM1 at a significance of p < 0.000, SCRM2 at a significance of p = 0.248, and SCRM at a significance p = 0.003. This suggests that the presence of a mature TQM program may signal a more mature supply chain risk management system based on the actual process scope and steps.

Analysis was also run on the correlation between TQM and SCRM1 specifically to see where there were strong relationships between specific quality management statements and supply chain risk management maturity statements. SCRM1 statements i, k, and l were all positively correlated to TQM statements a, b, c, d, e, g, and h (see Table 1 for the specific questions). SCRM1 statement m was positively correlated to TQM statements a, b, c, g, and h. SCRM1 statement n, b, g, h was positively correlated to TQM statements b, g, and h. Therefore, statement f, “Quality metrics or standards are kept,” was not correlated to any SCRM1 statements. This analysis suggests that TQM is strongly related to most of the SCRM1 statements, with only a few weak relationships. Statement 6 stands out as unrelated to SCRM1, while statement n of SCRM1, “We work with our customers to identify and mitigate potential supply chain risks”, stands out as only weakly related to TQM.

5. Conclusions

These results suggest that ISO 9001 is not strongly related to supply chain risk management maturity. There was not a strong relationship between ISO certification and company's preparedness level of SCRM and TQM. However, TQM is clearly related to SCRM1, no matter the variables that are included. The more mature a company's TQM practices, the more mature the company is in terms of SCRM as identified by the SCRM Factor 1 (which describes the actual risk management process details, outlining the process steps and who is involved). Most of the statements comprising this factor were positively correlated to the TQM statements (denoting total quality management practices). In particular, these included the following SCRM1 statements:

  • (i) “We follow the four step process of risk identification, analysis, education, and treatment;”

  • (k) “We prioritize risk events based on severity of impact to our organization;”

  • (l) “We involve our suppliers in identification and mitigation of potential supply chain risks;”

  • (m) “We encourage our suppliers to use a structured risk management process (e.g., ISO 31000).”

The statement related to customers (i.e., “We work with our customers to identify and mitigate potential supply chain risks”) was only weakly associated to TQM.

The lack of significance between ISO9001:2008 and the two factors of SCRM, based on survey results and analysis, suggests that the standards for ISO 9001:2008 and 31000 do not provide a significant advantage to risk assessment and management.

Though they provide positive frameworks for overall company structure and project development, ISO 9001:2008 was not equipped to provide a framework for risk management that eclipses alternative methods. It should be noted that ISO 31000 is a new addition and has not yet been fully developed. Before the implementation of ISO 31000, risk was not explicitly addressed under ISO standards.

6. Limitations and further research

The number of respondents in this study was relatively small and necessarily reduces the power of the statistical tests in this study. The low response rate also introduces the potential for nonresponse bias. Therefore, the conclusions should be treated with caution. However, the results suggest that a higher response rate would indicate a similar pattern of results based on prior studies, in particular related to the TQM maturity metric.

To further aid such a study, case studies may be performed to monitor the daily processes of companies who are and are not ISO certified. This would provide more of an in depth analysis of the effects of ISO certification on risk management. E‐mail provided certain limitations to accessibility, because of company filtering software and lack of personal interaction. Joint participation with the ISO organization into the effectiveness of their certifications would also lead to a better understanding and greater ease of access.

However, the results of this initial survey and analysis suggest that ISO does not play a significant role in risk assessment and correction. Though, the more mature a company is able to be in terms of their total quality management procedures, the better equipped it will be to handle supply chain risk.

Further study should be conducted to seek a larger sample size in order to assess the reliability of the results in this study. It would also help shed light on differences by industry type and supply chain position. However, this will necessarily involve the newer standards for ISO 9001:2015. Therefore, it is unlikely that this study can be replicated. It would, nonetheless, still be of interest to assess the degree to which the new standards have impacted on organizational effectiveness in managing risk in the supply chain. Since the new standards now focus attention specifically on risk management, it should signal to customers that ISO 9001:2015 certification is a good supplier prequalifier when it comes to supply chain risk management and not just quality. Or at least that would be the expectation. Further study is needed to confirm this.

Appendix: Selected survey questions (number responding given in parentheses)

  1. What is your current job title/level?

    • CEO/President (7)

    • Vice President (8)

    • Director (4)

    • Manager (11)

    • Experienced Staff Member (3 or more years of experience) (3)

    • Entry Level Staff Member (less than 3 years of experience) (1)

    • Other. Specify: (4)

  2. About how many employees does your organization have?

    • 20 or fewer (5)

    • 21 to 100 (11)

    • 101 to 500 (6)

    • 501 to 5000 (5)

    • 5001 to 10,000 (3)

    • More than 10,000 (8)

    • Not sure

  3. Which industry category does your organization best fit into?

    1. Aerospace manufacturing (2)

    2. Automotive manufacturing (1)

    3. Chemicals/plastics manufacturing (2)

    4. Computer equipment manufacturing (0)

    5. Electronics/electrical manufacturing (1)

    6. Fabricated metal products manufacturing (2)

    7. Food products manufacturing (0)

    8. Government/public administration (1)

    9. Machinery manufacturing (Industrial/Commercial) (4)

    10. Pharmaceuticals manufacturing (1)

    11. Retail trade/merchandising (0)

    12. Services: Educational services (1)

    13. Services: Professional/scientific/technical (12)

    14. Transportation (1)

    15. Utilities (1)

    16. Warehousing/distribution (7)

    17. Wholesale trade (2)

    18. Other. Specify: (1)

  4. How does your organization conduct supply chain risk analysis? (select one)

    • We outsource our supply chain risk analysis to a consulting firm. (1)

    • We have a dedicated Risk Management Department (i.e., an internal consultant) that performs supply chain risk analysis for the organization. (9)

    • Each department is responsible for assessing supply chain risk related to their particular function. (12)

    • We have a specific department (e.g., procurement) that is charged with managing supply chain risk. (Please specify department:) (6)

    • Other. Specify: (9)

  5. Which of the following positions best describes your organization’s business function in the supply chain?

    • Raw/basic material manufacture (1)

    • Component/sub‐assembly manufacture (1)

    • Final product manufacture (11)

    • Warehousing/distribution (14)

    • Retail (0)

    • Other. Specify: (10)

  6. How familiar are you with your organization's supply chain risk management process?

    • Very unfamiliar (7)

    • Unfamiliar (1)

    • Somewhat familiar (7)

    • Familiar (8)

    • Very familiar (14)

  7. The following statements relate to your organization’s supply chain risk management system. Please indicate the degree to which you agree or disagree with each statement in relation to your organization.

    (1 = Strongly disagree, 2 = Disagree, 3 = Neither agree nor disagree, 4 = Agree, 5 = Strongly agree)

    1. Risk management is built into our planning process.

    2. Risk management is an ad hoc process for us that occurs informally on an as‐needed basis.*

    3. Our risk management assessment occurs on a regular schedule.

    4. Our risk management assessment is based on probability analysis of relevant risks.

    5. Our risk management assessment occurs at least annually.

    6. Risk assessment is a quantitative process for us.

    7. Our risk management process is assessed for continual improvement.

    8. Top level management is involved in our risk management process.

    9. We follow the four step process of risk identification, analysis, education, and treatment.

    10. We prioritize risk events for treatment based on results of risk analysis.

    11. We prioritize risk events based on severity of impact to our organization.

    12. We involve our suppliers in identification and mitigation of potential supply chain risks.

    13. We encourage our suppliers to use a structured risk management process (e.g., ISO 31000).

    14. We work with our customers to identify and mitigate potential supply chain risks.

    15. We have a process in place for corrective feedback to our risk management process.

    *Coded in reverse in the analysis.

  8. How familiar are you with your organization's quality management practices?

    • Very unfamiliar (1)

    • Unfamiliar (1)

    • Somewhat familiar (5)

    • Familiar (9)

    • Very familiar (18)

  9. The following statements relate to your organization’s quality management system. Please indicate the degree

    to which you agree or disagree with each statement in relation to your organization.

    (1 = Strongly disagree, 2 = Disagree, 3 = Neither agree nor disagree, 4 = Agree, 5 = Strongly agree)

    1. Customer satisfaction/service data for key indicators are actively accumulated and analyzed.

    2. Customer data are used to make internal quality improvements.

    3. Customer complaints are tracked and managed through a formal complaint system with feedback.

    4. Customer service standards are kept.

    5. Employee use of quality‐related problem solving techniques is actively supported (ex. DMAIC, control charting, etc.).

    6. Quality metrics or standards are kept.

    7. Team‐based quality improvement is actively supported.

    8. Top management has a demonstrated commitment to quality.

  10. Is your organization certified for ISO 9001 or equivalent?

    • Yes (18)

    • No (20)


This chapter is built on prior research from “The Relationship of Organizational Quality Management Practice with Supply Chain Risk Management Program Maturity”, Thesis for East Carolina University Honors College


1 - Punniyamoorthy M., Thamaraiselvan N., Manikandan L., Assessment of supply chain risk: scale development and validation. Benchmarking: An International Journal. 2013; 20(1):79–105.
2 - Wildgoose N., Brennan P., Thompson S., Understanding your supply chain to reduce the risk of supply chain disruption. Journal of Business Continuity & Emergency Planning. 2012; 6(1): 55–67.
3 - Van Miegham J., Risk management and operational hedging: an overview. In: Kouvelis P. et al. Editors. Handbook of integrated risk management in global supply chains. Hoboken, NJ: John Wiley & Sons; 2011. p. 13–50.
4 - Chen J., Sohal A., Prajogo D., Supply chain operational risk mitigation: a collaborative approach. International Journal of Production Research. 2013; 51(7):2186–2199.
5 - Gualandris J., Kalchschmidt M., Product and process modularity: improving flexibility and reducing supplier risk failure. International Journal of Production Research. 2013; 51(19):5757–5770.
6 - Scholten K., Scott P.S., Fynes B., Mitigation processes—antecedents for building supply chain resilience. Supply Chain Management: An International Journal. 2014; 10(5/6): 211–228.
7 - Golgeci I., Ponomarov S.Y., Does firm innovativeness enable effective responses to supply chain disruptions? An empirical study. Supply Chain Management: An International Journal. 2013; 18(6):604–617.
8 - Kunimatsu L., Risk Management Basics—ISO 31000 Standards. 2013. p. 1–17 [cited 2016 Aug 30]. Available from:
9 - Fowles J., Handbook of futures research. Connecticut: Greenwood Press; 1978.
10 - Moeller R.R., COSO enterprise risk management: establishing effective governance, risk, and compliance processes. Hoboken, NJ: Wiley; 2011.
11 - Cavanaugh, T. Preparedness in the Private Sector. The Conference Board. December 2008;Report Number R-1436-08-RR. Available from:
12 - Bhatia G., Lane C., Wain A., Building resilience in supply chains: an initiative of the risk response network in collaboration with Accenture. World Economic Forum: Cologny/Geneva Switzerland; 2013.
13 - Ladbury A., Supply‐chain risks misunderstood, mismanaged: report. Business Insurance. 2008; 42(2):23.
14 - Chacon N., Doherty S., Hayashi C., Green R., New models for addressing supply chain and transport risk: an initiative of the risk response network in collaboration with Accenture. World Economic Forum: Cologny/Geneva Switzerland; 2012.
15 - Ghadge A., Dani S., Kalawsky R., Supply chain risk management: present and future scope. International Journal of Logistics Management. 2012; 23(3):313–339.
16 - Kumar S. Managing risks in a relief supply chain in the wake of an adverse event. OR Insight. 2011; 24(2):131–157.
17 - Aguiar Y.M., Assessing the CARVER+S risk management model of terrorism preparedness in business continuity planning. Northcentral University, USA: PhD dissertation; 2011.
18 - Skipper J.B., Hanna J.B., Gibson B.J., Alabama power response to Katrina: managing a severe service supply chain disruption. Arden: Jordan Whitney Enterprises Inc; 2010.
19 - Ellegaard C., Supply risk management in a small company perspective. Supply Chain Management. 2008; 13(6):425–434.
20 - Kern D., Moser R., Hartmann E., Moder M., Supply risk management: model development and empirical analysis. International Journal of Physical Distribution & Logistics Management. 2012; 42(1):60–82.
21 - Pettit T.J., Supply chain resilience: development of a conceptual framework, an assessment tool and an implementation process. The Ohio State University, USA: PhD dissertation; 2008.
22 - Finch P., Supply chain risk management. Supply Chain Management. 2004; 9(2):183–196.
23 - Zhao L., Huo B., Sun L., Zhao X., The impact of supply chain risk on supply chain integration and company performance. Supply Chain Management: An International Journal. 2013; 18(2):115–131.
24 - Fotopoulos C., Psomas E., The use of quality management tools and techniques in ISO 9001:2000 certified companies: the Greek case. International Journal of Productivity and Performance Management. 2009; 58(6):564–580.
25 - Psomas E.L., Fotopoulos C.V., Kafetzopoulos D.P., Core process management practices, quality tools and quality improvement in ISO 9001 certified manufacturing companies. Business Process Management Journal. 2011; 17(3):437–460.
26 - Sampaio P., Saraiva P., Rodrigues A.G., ISO 9001 certification research: questions, answers and approaches. International Journal of Quality & Reliability Management. 2009; 26(1):38–58.
27 - Escanciano C., Fernandez E., Vasquez C., Influence of ISO 9000 certification on the progress of Spanish industry towards TQM. International Journal of Quality & Reliability Management. 2011; 18(5):481–494.
28 - Gotzamani K., Tsiotras G., An empirical study of the ISO 9000 standards’ contribution towards total quality management. International Journal of Operations & Production Management. 2001; 21(10):1326–1342.
29 - Dwyer G., Business excellence versus ISO 9000 in an Irish context‐which delivers? Managerial Auditing Journal. 2002; 17(7):404–411.
30 - Magd H., Curry A., ISO 9000 and TQM: are they complementary or contradictory to each other. The TQM Magazine. 2003; 15(4):244–256.
31 - Chapman P., Bernon M., Haggett P., Applying selected quality management techniques to diagnose delivery time variability. International Journal of Quality & Reliability Management. 2011; 28(9):1019–1040.
32 - Tse Y.K., Tan K.H., Chung S.H., Lim M.K., Quality risk in global supply network. Journal of Manufacturing Technology Management. 2011; 22(8):1002–1013.
33 - Dellana S.A., Kros J.F., An exploration of quality management practices, perceptions and program maturity in the supply chain. International Journal of Operations and Production Management. 2014; 34(6):786–806.
34 - Gray C.F., Larson E.W., Project management: the managerial process. 4th ed. New York: McGraw‐Hill Companies; 2008.
35 - Foster S.T., Managing quality: integrating the supply chain. 5th ed. New Jersey: Pearson Education Inc.; 2013.
36 - Kouvelis P., Dong L., Boyabati O., Li R., Integrated risk management: a conceptual framework with research overview and applications practice. In: Kouvelis P. et al. Editors. Handbook of integrated risk management in global supply chains. Hoboken, NJ: John Wiley & Sons; 2011. p. 3–12.
37 - ISO 31000:2009. Risk management—principles and guidelines. ISO; 2009 [cited 2016 Aug 21]. Available from:‐1:v1:en.
38 - Leitch M., ISO 31000:2009—The new international standard on risk management. Risk Analysis: An International Journal. 2010; 30(6):887–92.
39 - DeRosier J., Stalhandske E., Bagian J.P., Nudell T., Using health care failure mode and effect analysis: The VA National Center for Patient Safety's Prospective Risk Analysis System. The Joint Commission; 2002, p. 248–67.
40 - SCRLC, Supply chain risk management: a compilation of best practices. Supply Chain Risk Leadership Council; 2011.
41 - Thompson A. Risk Management Framework. Government of South Australia, Adelaide: Department of Communities and Social Inclusion; 2009.
42 - COSO., Strengthening enterprise risk management for strategic advantage. Committee of Sponsoring Organizations of the Treadway Commission; 2009 [cited 2016 Aug 21]. Available from:
43 - Nunnally J.C., Psychometric theory. 2nd ed. New York: McGraw‐Hill; 1978.