Exploring the Relationship of Supply Chain Risk Management to Quality Management

This research explores the relationship between an organization's supply chain risk management (SCRM) maturity and quality maturity. SCRM maturity was measured using a survey questionnaire sent to organizations in the USA. Quality maturity was assessed via ISO 9001:2008 certification status as well as through a survey questionnaire of total quality management (TQM) practices for organizations in the USA. The results suggest that ISO 9001:2008 is not related to SCRM maturity, while TQM maturity is related to SCRM maturity. Organizations with more mature TQM programs appear to also have more mature SCRM programs.


Introduction
Maintaining the integrity of a supply chain through risk mitigation is crucial to smooth and efficient business operations. However, as supply chains become more global in scope, the potential for risk events occurring increases. For this reason, supply chain risk management has gained substantial interest in recent years among academics. Preliminary research indicates that there are no established standards for certifying risk management capability of organizations in the supply chain. In relation to standards and guidelines, the International Organization for Standardization (ISO) has emerged as a body that seeks to establish and promote best business practices through certifications that organizations can earn. These certifications signal to potential partners that a level of capability has been attained by the organization in a specific area of interest, such as quality management.
Common certifications related to business include, but are not limited to: ISO 9001, 11000, 14001, and 22000. Most of these involve quality and safety, but none certify for supply chain risk management specifically. The closest standard to achieving this is the ISO 31000 risk management principles and guidelines. However, a certification is not available. Therefore, the rigor of a certification is absent from this standard. In order to be awarded an ISO certification, an organization must submit an application to ISO and undergo a rigorous sixstage evaluation process based on various criteria. Other certification bodies do exist that attempt to augment risk management activities in the supply chain. One standard that at least implies an organizational ability to manage risk is Customs-Trade Partnership Against Terrorism (C-TPAT). It is a voluntary program that focuses on improving the security of private companies' supply chains with respect to terrorism. However, it addresses only one particular type of risk event related to disruptions produced by actual or potential terrorist threats and does not address an organization's overall risk management maturity. Nonetheless, organizational certification by ISO 9001 in particular may be able to signal risk management capabilities simply by virtue of the attention the standards bring to improving process management through the principles of total quality management (TQM). ISO 9001 was revised in 2000 to incorporate the principles of TQM into its certification criteria. Therefore, by extension, TQM maturity, in general, may also provide a signal of supply chain risk management maturity.
A large number of organizations, covering a wide variety of industries, are ISO 9001 certified. Because quality standards and certifications are intended to unify and improve business practices as a whole, the following question arises: are companies that have more mature quality systems, and certified to ISO 9001 in particular, better equipped to manage risk? Researching companies who have quality management programs and how their processes have improved since implementing them may shed light on protecting a company's assets, operations, and its structure from adverse risk events. This research assists in confirming the following statement: A company's use of a TQM system, and particularly through ISO 9001 certification, ensures a high level of risk maturity as compared to that of companies that do not implement a TQM system and/or quality certifications.
In the next section, the literature is reviewed and research questions stated. This is followed by the research methodology, which includes a description of the data. Results are then presented. The findings of this research are subsequently discussed and conclusions drawn. This is followed by a discussion of areas for further study and limitations to the research.

Literature review
A study involving supply chain risk starts with a classification of all potential risks. These typically include the following: supply risk, demand risk, process risk, technology risk, logistics risk, information risk, and environment risk [1,2]. The current research focuses on supply and demand risks because these present supply chain managers with significant challenges due to the severity of the impact and difficulty of effective mitigation. Van Miegham [3] characterizes the loss of a key supplier as having a high effect for aggregate loss severity and a moderate probability of occurrence. Further, Chen et al. [4] report that demand risks have a direct negative effect on supply chain performance. The literature also recommends differing approaches to moderating the occurrence of supply or demand disruptions, such as firm innovativeness, process modularity, and interactive complexity reduction [5][6][7]. These all relate to the types of activities involved in a quality management strategy that seeks to simplify, standardize, and generally improve products and processes.
As noted, the occurrence of a supply chain risk event can be damaging to any organization no matter where they may be within the supply chain. Technically speaking, risk is defined as the (negative impact to objectives × likelihood of occurrence). Risk management contains four primary steps within its processes. These steps include the following: • Risk identification, • Qualitative or quantitative assessment, • Risk prioritization, and • Response planning and risk monitoring.
Within these four steps are the proper responses to various types of risk. The first possible response is to mitigate risk. Mitigating entails performing an action to reduce the impact or likelihood of various risk events. The second possible response is to avoid risk. Avoiding risk entails completely ceasing the various activities that create said risk. The third response is to transfer risk. Transferring risk involves shifting risk to other operational areas of the supply chain that are better equipped to handle risk events. The fourth and final way to manage risk is to accept risk. Risk may be accepted if its consequences do not outweigh the benefits of surrounding the risk that is created [8]. Three common methods of assessing risk are effective, but not unified in their approach.
The first method is the Delphi method. The Delphi method was originally developed in 500 B.C. by Greek prophets [9]. The prophets would hear various people's complaints, develop a response, and allow the people to formulate a revised complaint. This method was revised by the RAND Corporation in the 1950s and followed the Greek's original method. The RAND Corporation's method consisted of surveys, followed by a response, followed by revised surveys based on initial results. This process gave participants a chance to re-assess criteria and re-evaluate based on the responses, which provided greater insight to their issues at hand. The main drawback to this method is it is time consuming, because of the analysis of the initial surveys followed by the revisions of the second round of surveys.
The second popular method is Monte Carlo Simulation. This method was developed in the Monte Carlo casinos to gauge risk brought upon by the various gambler's chances of winning. This method focuses on uncertain risk and is assessed by model construction and analysis through computer simulation. The negative aspect of this method occurs, because it requires extensive mathematical prowess and requires significant amount of education to be proficient.
The third method is decision tree analysis. Decision tree analysis utilizes graphical methods to draw correlations to common risks. This method is effective, because it creates a visual image of how various risks are linked, but suffers because of its simplicity [10].
Normally, since avoiding risk is so vital, there should be a series of guidelines in place to facilitate conducting supply chain risk management (SCRM) while supporting total quality management (TQM). Performed literature review indicates that there is no unified series of standards of avoiding risk. Even though most companies have their own emergency preparedness plans in place, a majority of company executives do not review or approve them and only 42% conduct emergency preparedness practices on a regular basis [11]. Companies must learn how to handle diverse amounts of risk such as natural disasters, political unrest, or acts of terrorism. Prior to September 11, 2001, preparedness levels addressing terrorism did not exist.
The World Economic Forum (WEF) has reported that although supply chain risk is an important issue, it is widely mismanaged [12]. Consistent mismanagement of risk across multiple industries might have a ripple effect on global risk which tends to amplify the disruptive impacts of a local risk event with resulting impacts far beyond the corporate sector. The believed cause is companies' inability to detect these ripples (such as the effects of catastrophes and pandemics on the other side of the world) before they become waves that disrupt their supply chains [13]. Many of these preparedness plans have been found to be inefficient because of lack of communication and collaboration, such as Alabama and Louisiana's responses to Hurricane Katrina [14].
Along with natural disasters and man-made risk, there is organizational and network risk. Organizational risks include inventory risk, process/operational risk, quality risk, and management risk, while network risks result from interactions between organizations within the supply chain. Agility, flexibility, contingency planning, and preparedness are preferred generic strategies for managing such risks in general [15]. It has been found that larger companies in the private sector are better equipped to individually handle disaster than smaller companies in the public sector [16][17][18]. These small companies simply do not have the resources to develop a proactive approach, so instead they take a more defensive (reactive) approach constituting risk elimination aspects [19]. Performed research indicates a gap between the risk management policies that large companies are capable of implementing and what their smaller counterparts are able to produce. Many have tried to develop supply chain risk management policies linking risk identification, risk assessment, and risk mitigation to risk performance [20]. Academics along with industry leaders see a need to replace traditional and varying risk management techniques for ones that are better designed to handle extreme complexities, unpredictable events, and threats. They have sought to discover a link between vulnerable factors and controllable factors. The Supply Chain Resilience Assessment and Management (SCRAM) framework was developed, but only served to suit the needs of a select few companies [21]. Companies must also have a framework in place to address general risk between inter-organizational partnering. Once two or more companies become partners, they assume the other's risk in some or a large capacity, as previously mentioned [22]. According to Zhao et al. [23], "…supplier, internal, and customer integration are the most important drivers for schedule attainment, competitive performance, and customer satisfaction, respectively" (p. 115). They find that supply chain risks are negatively related to supply chain integration. Although global integration is crucial and necessary to be competitive, it inherently carries an increased amount of risk.
Performed literature review shows that multiple organizations and companies have tried to institute best practices for mitigating risk. However, there is not one general set standard for how to approach the subject of avoiding or correcting risk in the supply chain. The reason for this variety in practices is possibly because of the variety of industries coupled with the varying ways in which risk can present itself. The food industry will not have the same problems as a metal manufacturing industry. Even within the same industry, companies might not have the same problems. A seafood distributor will have different issues to assess than a fruit producer. These varying sources and types of risk have made it difficult to create guidelines in order to steer companies in the right direction to manage risk in their supply chain. Also, since there is a lack of general guidelines concerning risk management, every industry (even every company) has taken it upon themselves to develop their own guidelines.
The International Standard for Organization (ISO) seeks to remedy the varying levels of supply chain risk preparedness and quality by allowing companies to become universally certified in various ISO certifications to promote a unity of practice.
The steps for ISO certification are as follows: Certifications, such as ISO 9001, and guidelines, such as ISO 31000, are best suited to prepare companies to handle risk (www.iso9001.com, 1) (www.iso.org, 1). Specifically, ISO 31000 (containing ISO Guide 73:2009 and ISO/IEC 31010:2009) seeks to establish guidelines for risk. ISO 31000 contains within it risk management principles, a framework for risk management, and a process for managing risk. It purports to be applicable to any organization regardless of size or sector and claims to increase the likelihood of improving the identification of opportunities and threats, thereby allowing an organization to more effectively allocate and use resources for risk treatment. ISO 31000 does not allow for certification but can aid with internal and external audits. These guidelines allow preparation for strategic, operational, and management risk and provide insight into the philosophy and practices that an organization might adopt in building an effective risk management system.
The ISO 9001 standards are also closely related to the approach used in quality improvement systems. In fact, the literature reports that there is a relationship between TQM and ISO 9001. TQM principles were incorporated into the ISO 9001 standard in the year 2000, so a significant relationship is likely to exist [24]. Studies have since shown a relationship between ISO 9001 and TQM. Psomas et al. [25] found that ISO 9001 certified companies achieve significant quality improvement through the implementation of the core process management practices characteristic of TQM. Sampaio et al. [26] found that most researchers in this area reason that ISO 9001 and TQM are very similar and should both be implemented in the organization together [27][28][29]. Others suggest that the structure of ISO 9001 can actually aid in the implementation of TQM practices [30]. Therefore, one would expect TQM principles and practices to be present in organizations that have achieved ISO 9001 certification. A few supply chain risk and quality studies do exist. Chapman et al. [31] studied delivery lead time variability and quality management. Tse et al. [32] explored quality and safety problems in the supply chain and introduced a supply chain risk management framework to reduce quality risk. Therefore, the relationship of supply chain risk management to quality management practices has not been widely studied. Based on this review of the literature, the following statements will be assessed empirically:

1.
Organizations that are ISO 9001 certified have more mature risk management systems than organizations that are not ISO 9001 certified.

2.
Organizations that have more mature risk management systems also demonstrate more mature quality management systems.

Data and research methodology
Data for this study came from a list of approximately 3000 United States-based organizations, compiled from the 2014 IAAR Directory, ISM-CV, and CSCMP member lists. These organizations cover varying locations throughout the United States spanning industries such as medical, manufacturing, government, etc. The approach used in this study is a survey questionnaire, conducted via e-mail, that includes demographic questions and questions specific to quality and risk management practices to gauge the relationship of quality management practices and risk management practices of organizations. The answers to the survey questions are then used to compare the level of risk management between organizations who more effectively use quality improvement practices and those who do not.
The survey was distributed to potential respondents using Qualtrics survey software. The survey components contained questions measuring the respondent's position within the organization, their familiarity with the organization's quality management and risk management practices, the organization's size, industry and position within the supply chain, where and how the organization manages risk, the company's quality management practices, and their ISO 9001 certification status. The answers to most of these questionnaire statements were then ranked with answers on a 1-5 scale (1 being the worst and 5 being the best). These responses were analyzed using SPSS software. Selected items from the survey questionnaire are provided in the Appendix. These statements include the number of responses in each category, as appropriate.
The measurement of quality management practice within organizations was taken from the work of Dellana and Kros [33]. They developed a set of 13 statements that cover the main quality issues in an organization that could be found at any point in the supply chain and also in any type of industry. In their study, these 13 statements were split into two distinct constructs. Based on data from 565 respondents, 8 of the statements were assigned to the construct of internal-downstream quality (i.e., customer-related), while the remaining 5 statements were grouped under the construct of external-upstream quality (i.e., supplier-related). In their investigation, the internal-downstream construct was found to be associated with industry class and a measure of supply chain position, while the external-upstream construct was not. Therefore, in the current research, the measure of quality maturity is limited to the eight statements from Dellana's and Kros's previous work that made up the internal-downstream construct (ref. question 9 of the Appendix). The measurement of risk management practice in organizations was more challenging. No generally accepted measure of risk management maturity was found in the literature. Therefore, a set of statements was inspired and derived from a number of sources, including the ISO 31000 guidelines [34][35][36][37][38][39][40][41][42]. This resulted in the 15 statements listed in the questionnaire for question 7 of the Appendix.

Results
The results of the survey based on SPSS statistical software analysis are as follows. A total of 500 of the approximately 3000 potential respondents reached an active e-mail account. Of these 500, responses to the questionnaire were received from 40 individuals. Of these 40 responses, 18 respondents indicated their organization as ISO 9001 certified, while 20 responded that their organization was not ISO 9001 certified (two did not respond to the ISO certification question and therefore these two questionnaires were unusable). Analysis of nonresponse bias was performed by comparing the mean score for TQM of early versus late responders. There was no significant difference in the mean score between the two groups (t = 1.40, p = 0.18). However, given the small sample size, a comparison of means is by no means conclusive. Therefore, this study and its findings are considered preliminary and exploratory in nature. It should also be noted that this survey was conducted prior to the issuing of the ISO 9001:2015 standards, which incorporate a focus on risk management. The standards in force at the time of this research were ISO 9001:2008.
A general consideration of the survey responses related to demographics of the individual and organization follows. The job title and level of the respondents was generally varied. However, most of the respondents were at the manager level and above (79%). Most were somewhat to very familiar with their organization's supply chain risk management process (78%), with 38% reporting being very familiar. The overwhelming majority were somewhat to very familiar with their organization's quality management practices (94%), with 53% reporting being very familiar. The organizational size, based on number of employees, also varied quite a lot. Grouping into three categories of small, medium, and large yields relative percentages of 42, 29, and 29%, respectively. About 40% of respondent organizations have a department dedicated to supply chain risk management, while about 32% have each department responsible for assessing supply chain risk related to their particular function. Approximately, 35% are involved in the manufacturing part of the supply chain, while about 38% are involved in distribution. The rest appear to be various services that relate to differing parts of the supply chain. The organizations fall mostly into the general industry categories related to manufacturing (34%) and services (34%). This is followed by transportation/distribution at about 21%. Finally, 47% of respondents reported their organizations are ISO 9001 certified while 53% reported not having ISO 9001 certification.
A factor analysis using principal component analysis was performed on the eight TQM-related questions to assess whether or not they were consistent with prior research. However, it should be noted that, for the purpose of factor analysis, the present sample did not meet the requirement that minimum sample size be at least 10 times the number of variables per Nunnally [43] (n = 40, <10 × 8 = 80). That said, these 8 statements were already shown in Dellana and Kros's previous study to have met the requirements for factor analysis.
It was found that the eight TQM-related statements all loaded strongly on a single factor. Metrics related to factor analysis were run. The KMO measure of sampling adequacy (index = 0.863) and Bartlett's test of sphericity (p = 0.0000) were found to be acceptable. Therefore, the results presented herein were very consistent with prior work, which gave support for this research. The model met underlying assumptions (except sample size issues). The reliability of all eight questions together also was very good (Cronbach alpha reliability = 0.93). The TQM maturity variable value used in SPSS analysis was the average score for the eight statements out of a possible score of 5.0. Therefore, a higher average score indicates greater TQM maturity. f. Risk assessment is a quantitative process for us n. We work with our customers to identify and mitigate potential supply chain risks Table 1. Results of factor analysis for supply chain risk management (SCRM) measurement.
Because the result was so positive for the TQM measure, factor analysis was also conducted on the supply chain risk management (SCRM) statements using principal components analysis in SPSS. Once again, the sample size requirement of Nunnally was not met in this case, so the analysis is preliminary. The KMO measure of sampling adequacy (index = 0.783) and Bartlett's test of sphericity (p = 0.0000) were found to be acceptable. Two factors were extracted using a varimax rotation and Kaiser normalization. The reliability of the statements in the two SCRM factors held very well with Cronbach's alpha measures of 0.88 and 0.86 for Factor 1 and Factor 2, respectively. The two SCRM factor sets are described in Table 1 and are synonymous with the survey statement designations. Factor 1 seems to describe more so "What" is managed during risk assessment, while Factor 2 seems to describe "How" this risk is assessed and corrected. An overall measure of SCRM combines these two sets of statements for a total of nine statements. In all cases of the risk maturity variables (i.e., SCRM, SCRM1 and SCRM2) the value used in SPSS analysis was the average score for the related statements out of a possible score of 5.0. Therefore, a higher average score indicates greater SCRM maturity.

Research question 1
The first research question explores whether organizations that are ISO 9001 certified have more mature risk management systems than organizations that are not ISO 9001 certified.
The relationship of ISO certification with SCRM was measured with the dependent variable entered as the respective risk management variables (i.e., SCRM1, SCRM2, and SCRM) using a univariate linear regression in SPSS with ISO 9001 certification as an independent variable. In all cases, the number of employees, supply chain position, and TQM score were also entered as control variables. Because of low frequencies by category, some data consolidation was performed. The number of employees was collapsed into small, medium, and large groups. Supply chain position was generally sorted into manufacturing and distribution and other.
The results of the regression analysis are given in Table 2. Backward removal of variables in SPSS resulted in the ISO 9001 reaching a significance of at best p = 0.064. This was for the case of the SCRM overall. SCRM2 was second best with a significance of p = 0.079. Neither of these make the generally accepted threshold of 0.05 significance level and were, therefore, not included in the final SPSS models. The models were also run with all control variables excluded to determine whether this would make a difference to the result. The outcome was similar to the model that included control variables, with SCRM1 at a significance of p = 0.806, SCRM2 at a significance of p = 0.061, and SCRM at a significance p = 0.248. Therefore, the evidence is weak for a conclusion that ISO 9001 certified organizations have more mature risk management systems than non-ISO 9001 certified organizations.
A breakdown by industry type had been a goal of this research, but the sample size was too small to accommodate a rigorous statistical analysis. However, it is worth noting that the split of ISO and non-ISO certified organizations was quite different between organizations classified as manufacturing (9 certified, 4 noncertified) and those classified as service (2 certified and 11 noncertified). Distribution-related organizations were more evenly split (five certified and three noncertified). Table 3 shows a breakdown of the scores for SCRM and TQM by major industry type. The scores for SCRM seemed to favor the service organization over manufacturing, especially for SCRM2. Although ISO 9001 does not clearly differentiate regarding SCRM maturity, there is at least the implication in this research that industry type may be a differentiator. A similar analysis could be conducted by supply chain position. It might be expected that organizations further downstream in the supply chain would exhibit greater SCRM maturity than those upstream given the lengthening of the supply chain heading

Research question 2
The second research question explores whether organizations that have more mature supply chain risk management systems also demonstrate more mature quality management systems. The simple linear regression analysis of Table 2 incorporates the TQM score as an independent variable in the analysis of relationships with SCRM variables. TQM was found to be strongly significantly related to SCRM1 (p < 0.000) and SCRM overall (p = 0.002). Both of these met the generally accepted threshold of 0.05 significance level and were, therefore, included in the final SPSS models. SCRM Factor 1 statements tend to describe the actual risk management process details, outlining the process steps and who is involved. SCRM Factor 2 statements are more general and have more to do with the timing and nature of the process. The models were also run for SCRM variables with TQM as the only independent variable in each case to determine whether this would make a difference to the result. The outcome was similar to the model that included control variables with SCRM1 at a significance of p < 0.000, SCRM2 at a significance of p = 0.248, and SCRM at a significance p = 0.003. This suggests that the presence of a mature TQM program may signal a more mature supply chain risk management system based on the actual process scope and steps.
Analysis was also run on the correlation between TQM and SCRM1 specifically to see where there were strong relationships between specific quality management statements and supply chain risk management maturity statements. SCRM1 statements i, k, and l were all positively correlated to TQM statements a, b, c, d, e, g, and h (see Table 1 for the specific questions). SCRM1 statement m was positively correlated to TQM statements a, b, c, g, and h. SCRM1 statement n, b, g, h was positively correlated to TQM statements b, g, and h. Therefore, statement f, "Quality metrics or standards are kept," was not correlated to any SCRM1 statements. This analysis suggests that TQM is strongly related to most of the SCRM1 statements, with only a few weak relationships. Statement 6 stands out as unrelated to SCRM1, while statement n of SCRM1, "We work with our customers to identify and mitigate potential supply chain risks", stands out as only weakly related to TQM.

Conclusions
These results suggest that ISO 9001 is not strongly related to supply chain risk management maturity. There was not a strong relationship between ISO certification and company's preparedness level of SCRM and TQM. However, TQM is clearly related to SCRM1, no matter the variables that are included. The more mature a company's TQM practices, the more mature the company is in terms of SCRM as identified by the SCRM Factor 1 (which describes the actual risk management process details, outlining the process steps and who is involved). Most of the statements comprising this factor were positively correlated to the TQM statements (denoting total quality management practices). In particular, these included the following SCRM1 statements: We follow the four step process of risk identification, analysis, education, and treatment;" • (k) "We prioritize risk events based on severity of impact to our organization;" • (l) "We involve our suppliers in identification and mitigation of potential supply chain risks;" • (m) "We encourage our suppliers to use a structured risk management process (e.g., ISO 31000)." The statement related to customers (i.e., "We work with our customers to identify and mitigate potential supply chain risks") was only weakly associated to TQM.
The lack of significance between ISO9001:2008 and the two factors of SCRM, based on survey results and analysis, suggests that the standards for ISO 9001:2008 and 31000 do not provide a significant advantage to risk assessment and management.
Though they provide positive frameworks for overall company structure and project development, ISO 9001:2008 was not equipped to provide a framework for risk management that eclipses alternative methods. It should be noted that ISO 31000 is a new addition and has not yet been fully developed. Before the implementation of ISO 31000, risk was not explicitly addressed under ISO standards.

Limitations and further research
The number of respondents in this study was relatively small and necessarily reduces the power of the statistical tests in this study. The low response rate also introduces the potential for nonresponse bias. Therefore, the conclusions should be treated with caution. However, the results suggest that a higher response rate would indicate a similar pattern of results based on prior studies, in particular related to the TQM maturity metric.
To further aid such a study, case studies may be performed to monitor the daily processes of companies who are and are not ISO certified. This would provide more of an in depth analysis of the effects of ISO certification on risk management. E-mail provided certain limitations to accessibility, because of company filtering software and lack of personal interaction. Joint participation with the ISO organization into the effectiveness of their certifications would also lead to a better understanding and greater ease of access.
However, the results of this initial survey and analysis suggest that ISO does not play a significant role in risk assessment and correction. Though, the more mature a company is able to be in terms of their total quality management procedures, the better equipped it will be to handle supply chain risk.
Further study should be conducted to seek a larger sample size in order to assess the reliability of the results in this study. It would also help shed light on differences by industry type and supply chain position. However, this will necessarily involve the newer standards for ISO 9001:2015. Therefore, it is unlikely that this study can be replicated. It would, nonetheless, still be of interest to assess the degree to which the new standards have impacted on organizational effectiveness in managing risk in the supply chain. Since the new standards now focus attention specifically on risk management, it should signal to customers that ISO 9001:2015 certification is a good supplier prequalifier when it comes to supply chain risk management and not just quality. Or at least that would be the expectation. Further study is needed to confirm this.

Appendix: Selected survey questions (number responding given in parentheses)
1. What is your current job title/level?

2.
About how many employees does your organization have?

4.
How does your organization conduct supply chain risk analysis? (select one) • We outsource our supply chain risk analysis to a consulting firm. (1) • We have a dedicated Risk Management Department (i.e., an internal consultant) that performs supply chain risk analysis for the organization. (9) • Each department is responsible for assessing supply chain risk related to their particular function. (12) • We have a specific department (e.g., procurement) that is charged with managing supply chain risk. (Please specify department:) (6) • Other. Specify: (9) 5. Which of the following positions best describes your organization's business function in the supply chain?

6.
How familiar are you with your organization's supply chain risk management process?
• Very unfamiliar (7) • Unfamiliar (1) • Somewhat familiar (7) • Familiar (8) • Very familiar (14) 7. The following statements relate to your organization's supply chain risk management system. Please indicate the degree to which you agree or disagree with each statement in relation to your organization.
b. Risk management is an ad hoc process for us that occurs informally on an as-needed basis.* c. Our risk management assessment occurs on a regular schedule.
d. Our risk management assessment is based on probability analysis of relevant risks.
e. Our risk management assessment occurs at least annually.
f. Risk assessment is a quantitative process for us.
g. Our risk management process is assessed for continual improvement.
h. Top level management is involved in our risk management process.
i. We follow the four step process of risk identification, analysis, education, and treatment.
j. We prioritize risk events for treatment based on results of risk analysis.
k. We prioritize risk events based on severity of impact to our organization.
l. We involve our suppliers in identification and mitigation of potential supply chain risks.
m. We encourage our suppliers to use a structured risk management process (e.g., ISO 31000).
n. We work with our customers to identify and mitigate potential supply chain risks.
o. We have a process in place for corrective feedback to our risk management process.
*Coded in reverse in the analysis.

8.
How familiar are you with your organization's quality management practices?
• Very unfamiliar (1) • Unfamiliar (1) • Somewhat familiar (5) • Familiar (9) • Very familiar (18) Exploring the Relationship of Supply Chain Risk Management to Quality Management http://dx.doi.org/10.5772/65847 9. The following statements relate to your organization's quality management system. Please indicate the degree to which you agree or disagree with each statement in relation to your organization.
b. Customer data are used to make internal quality improvements.
c. Customer complaints are tracked and managed through a formal complaint system with feedback.
d. Customer service standards are kept.
e. Employee use of quality-related problem solving techniques is actively supported (ex. DMAIC, control charting, etc.).
f. Quality metrics or standards are kept.
g. Team-based quality improvement is actively supported.
h. Top management has a demonstrated commitment to quality.

10.
Is your organization certified for ISO 9001 or equivalent?