How to Evaluate Supply Chain Risks, Including Sustainable Aspects? A Case Study from the German Industry

Purpose: Outsourcing transactions have been arisen and evolved in the last years and purchase managers want to know if a Failure Mode Effects and Analysis (FMEA) is an effective qualitative technique to analyze supply chain risks (SCR) in a proper way. The aim of this study is to address this question developing a practicable risk management process based on the guidelines of the ISO 31000 for upstream Supply Chain Risk Management (SCRM) linking risk assessment, risk identification, risk analysis, risk evaluation, risk treatment and validate the process empirically through a case study. Design/methodology/approach: After a review of the literature on Sustainable Supply Chain Risk Management (SSCRM), a case study based on a leading manufacturer of electrical products, collects evidences of SSCRM implementation. Findings: Supply chain disruptions are one of the most critical issues which can negatively influence on firm’s performance. Avoiding and mitigating disruptions in the supply chain is one of the main challenges for supply chain managers. Originality/value: This paper identifies the ISO 31000, the ISO 9001 and the use of an FMEA to analyze supply chain risks in a structured manner and to outline future research opportunities in the field of SCRM.


Introduction
What is ISO 31000 (2018) for? What are the benefits for my business? There is a growing need to answer these questions, defining a practicable risk management process and learning about best practices for Supply Chain Risk Management (SCRM). Whereas SCRM helps manufacturers plan for and handle disruptions in the supply chain (VanderBok, Sauter, Bryan & Horan, 2007), supply chain risk management researches, including sustainable aspects evolved rapidly in the last decade. Despite of Sustainable Supply Chain Risk Management (SSCRM) research is not in its infancy stage, the practical implementation in firms has not been generally accepted yet. ISO 31000 (2018) is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of this standard is to provide principles and generic guidelines on risk management and is intended for use by anyone in the firms who manages risks (for internal as well for external processes). ISO 31000 (2018) seeks to provide a universally recognized paradigm for practitioners and firms employing risk management processes. In today's globalized and highly uncertain business environments, supply chains have become more vulnerable to disruptions. Admittedly, there are an increasing number of risks faced by firms associated with variable material cost or availability of raw materials. ISO 31000 (2018) is intended to be a guideline for managers to develop a risk management strategy to effectively identify and mitigate risks. However, there is still a need for practitioners to know how to implement this in the practice, integrating sustainable criteria as defined in the ISO 26000 (2010). This standard provides guidance on implementing and improving the social responsibility of organizations, mainly on society and environment.
In order to solve this need, this research work, which is part of Medina-Serrano's dissertation (2019), has three primary goals: 1) review and update the literature on SSCRM, 2) determine whether ISO 31000 (2018) provides understandable guidelines for planning and executing SSCRM and 3) collect evidences of SSCM implementation through a case study in the German industry. The rest of the paper is organized as follows: Section 2 provides the literature review on supply chain risk management and proposes, presents and describes a process and a framework from the ISO 31000 (2018). In Section 3, the proposed process is validated through a case study and trends from experimental evaluations and analyses are presented in order to assess the effectiveness and efficiency of the proposed process. Finally, the main conclusions and the topics related to this study which might be researched in the future as well as the limitations are discussed and presented in Section 4.

Literature Review: SCRM Approach
Despite of the relevance of the theory of Resource Dependence (Pfeffer & Salancik, 1978;Su, Mao & Jarvenpaa, 2014); the Agency theory (Eisenhardt, 1989;Bahli & Rivard, 2003) seems to represent the most the theoretical framework to study the need to evaluate supply chain risks from the organizational perspective in this study as it helps expose problems of divergent interests in outsourcing and suggests the convenience of ensuring an optimal contractual relationship between principals and agents to reduce the degree of uncertainty usually inherent to agents' behavior. The Agency theory reminds practitioners and researchers that much of organizational life is based on incentives and self-interest (Eisenhardt, 1989;Bhattacharya & Singh, 2019). This theory may support them to evaluate chances and risks, including social, environmental and economic aspects outlined in this research work. Apart from this, firms' resources are limited (Oliver, 1997) and often there is a dependency of firms to their supply chain in general (Mills, Platts & Bourne, 2003) and their own suppliers in particular (Fink, James & Hatten, 2011). This dependency aligned to the theory of Resource Dependence can support decision makers to evaluate supply chain risks and especially take into account cases where firms have a dependence of single sources. Behzadi, O'Sullivan, Olsen and Zhang (2018) identified robustness and resilience as two key techniques for managing risks and suggested metrics for measuring them. Admittedly, these two characteristics should be taken into account of every risk assessment framework. According to them, "robustness is an ability to withstand disruption with an acceptable loss of performance, whereas resilience (i.e. contingency plans that reduce time-to-recovery) is the potential to recover quickly from disruptions". While Curkovic, Scannell and Wagner (2013) proposed the FMEA (Failure Mode and Effect Analysis) as a tool to evaluate supply chain risk management, Varzandeh, Farahbod and Zhu (2014) performed an empirical investigation of supply chain sustainability and risk management. In addition to risk management field, Ratnasari, Hisjam and Sutopo (2018) assessed risk management using the house of risk (HOR) method which is a modification between FMEA and HOQ (House of Quality) methods. The model is split in two stages, during the first stage risks and risk causing agents are identified and then the severity and occurrences to calculate the Aggregate Risk Priority value are measured. Hence, robustness is assessed. The second stage is intended to formulate and prioritize actions of risk mitigation and at strengthening the resilience of the firm to reduce the probability of risk agents to occur. Whereas D'Amore, Mocellin, Vianello, Maschio and Bezzo (2018) proposed a model for optimising the European carbon capture and sequestration, including societal risk analysis and risk mitigation measures, Rostamzadeh, Ghorabaee, Govindan, Esmaeili and Nobar (2018) developed an integrated fuzzy TOPSIS-CRITIC approach for the evaluation of SSCRM. For the evaluation of the sustainability aspects, they proposed three categories, mainly: (1) Organizational sustainability, (2) social responsibility, and (3) the environmental sustainability. The definition of sustainability in the sense of sustainable business practices applied by Rostamzadeh et al. (2019), including social, environmental and economic aspects, is used in this research work.
Admittedly, the probability of disruption on supply chains differs depending on the adopted sourcing strategy (single source -domestic-, foreign-and dual sourcing). Kumar, Basu and Avittathur (2018) stated that the interplay of three important factors; market potential, relative cost advantage and probability of disruption play an important role in the competitive dynamics. The SCRM field is not new so that many researchers proposed SCRM frameworks in the past (Hallikas, Karvonen, Pulkkinen, Virolainen & Tuominem, 2004;Kleindorfer & Saad, 2005;Manuj & Mentzer, 2008;Foerstl, Reuter, Hartmann & Blome, 2010;Tummala & Schoenherr, 2011). However, as already pointed out by Scannell, Curkovic and Wagner (2013), they failed to find a consensus about the basis of SCRM.
Whereas Foerstl et al. (2010) advanced the study in the field by analyzing how competitive advantage can be generated with the development of appropriate sustainable supplier management programs, Hoffman, Busse, Bode and Henke (2014) investigated the processes whereby supply chain issues may generate sustainability-related risks. Later on, Giannakis and Papadopoulos (2016) explored the nature of sustainability-related supply chain risks, distinguishing them from typical supply chain risks and developed an analytical process for their management. They conducted an empirical study to generate insights about how sustainability-related risks should be managed in an integrated way. Through personal interviews, 30 risks across the main pillars of sustainability (environmental, social) were identified. More researchers addressed this topic from different perspectives. For instance, Govindan, Fattahi and Keyvanshokooh (2017) performed a research about supply chain network design under uncertainty, Mani, Delgado, Hazen and Patel (2017) researched how to mitigate supply chain risks via sustainability using big data analytics. Whereas in 2018, Valinejad and Rahmani (2018) proposed a framework for managing the sustainability risks of the supply chain for telecommunications companies, Jabbarzadeh, Fahimnia and Sabouhi (2018) performed a research about sustainability analysis under disruption risks. In 2019 Baryannis, Validi, Dani and Antoniou (2019) provided a comprehensive review of supply chain literature that addresses problems relevant to SCRM using approaches that fall within the Artificial Intelligence (AI) spectrum.
Implementation of ISO 31000 (2009) within the supply chain risk management has been reviewed in the past . However, after the new release of the ISO 31000 in the year 2018 and the integration of the chapter 6.1 (actions to address risks and opportunities) as part of the ISO 9001, revision 2015, an update in the literature was required. Whereas the ISO 31000 (2018) has a character of guideline and recommendation for the industry, the ISO 9001 (2015) set requirements for them. On the one hand, one of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk. By taking a risk-based approach, a firm becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based. ISO 9001 (2015) defines risk as "the effect of uncertainty on an expected result". This standard uses risk-based thinking to achieve this in the following way: Clause 4 -the organization is required to determine its Quality Management System (QMS) processes and to address its risks and opportunities.
Clause 5 -top management is required to: Promote awareness of risk-based thinking.
Determine and address risks and opportunities that can affect product /service conformity.
Clause 6 -the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them.
Clause 7 -the organization is required to determine and provide necessary resources (risk is implicit whenever "suitable" or "appropriate" is mentioned).
Clause 8 -the organization is required to manage its operational processes (risk is implicit whenever "suitable" or "appropriate" is mentioned).
Clause 9 -the organization is required to monitor, measure, analyse and evaluate effectiveness of actions taken to address the risks and opportunities.
Clause 10 -the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities" (ISO 9001, 2015).
On the other hand, the update in that ISO 31000 (2018) provides more strategic guidance than ISO 31000 (2009) and places more emphasis on both the involvement of senior management and the integration of risk management into the organization. ISO 31000 (2018) suggests that effective risk management is characterized by principles, framework and process. This standard state that managing risk is based on the principles, framework and process so that managing risk is efficient, effective and consistent and the purpose of risk management is the creation and protection of value. The principles of risk management and the framework are interrelated. Risk managers are asked to integrate risk management into the firm in a customized and proportionate manner, employing the framework as a tool to achieve the required integration. The framework is split in five steps mainly: (1) integration; (2) design; (3) implementation; (4) evaluation and (5) improvement. This approach is illustrated in Figure 1 and integrates the well-known Deming or PDCA (plan-do-check-act) cycle (Johnson, 2016). The leadership and commitment play an important role within the framework, aligning risk management with the firm's strategy, objectives and culture.
First, within the integration is established the risk management strategy-framework and the roles and responsibilities. Second, in the design are articulated risk management commitment and allocating resources; and establishing communication and consultation arrangements. Third, an appropriate implementation plan including deadlines is developed within the implementation. Fourth, by the evaluation is measured the framework performance and effectiveness against its purpose, implementation and behaviors. Finally, the suitability, adequacy and effectiveness of the risk management framework are improved.
Risk management should be an integral part of all organizational activities, including procurement (ISO 31000, 2018). The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk (see Figure 2). According to the ISO 31000 (2018), the risk management process is focused on (1) communication and consultation; (2) scope, context and criteria; (3) risk assessment, split into (3.1) risk identification, (3.2) risk analysis and (3.3) risk evaluation; (4) risk treatment; (5) monitoring and review; and (6) recording and reporting.
(1) During the communication and consultation stage different views should be considered when defining risk criteria and evaluating risks. Workshops and regular meetings are appropriate in order to bring different areas of expertise together for each step of the risk management process. (2) Defining the purpose, scope of risk management activities and risk criteria are part of the second stage. (3) Risk assessment describes risks that might help or prevent achievement of objectives and their consequences. This includes: risk identification, risk analysis, taking into account the level of risk and consequences, and risk evaluation to determine the significance of risk. (4) Risk treatment; designing risk treatment plans explaining how the treatment options will be implemented. (5) Monitoring and review include monitoring the risk management (RM) process and its outcomes, addressing responsibilities accordingly; (6) Recording and reporting entail recording results and providing feedback. After the implementation of the risk management plans, a re-evaluation will be strongly recommended to evaluate the effectiveness of the implemented actions.
Successful implementation of a risk management initiative is an ongoing process that involves working through the implicated activities on a continuous basis.

Data Collection Methods: In-Firm Case Study
The in-firm case study was based on the approaches information obtained from a leading manufacturer of electrical products certified on NEC, CEC, ATEX, GOST Inmetro and IECEx standards. The firm is a global player based in Germany with 1.669 employees and a €275m turnover (key figures from the end of 2019). The effectiveness and operationalisation of the SSCRM process is worldwide present and has a supply chain structure connected with suppliers from all over the world, from domestic suppliers located closed to the firm, until suppliers located in US, all around Europe, India, China, South Korea, etc. The main criteria for the selection was that the firm had recently faced raw material supply disruptions and required to develop an efficient and effective SSCRM process in order to proactively prevent possible future shortages. Also, one of the authors has a professional relationship with the analyzed firm. The predefined conceptual framework was validated based on a number of interviews with practitioners and middle-level managers. The interviews, the design of the interviews, the analysis of the transcripts and the incorporation of the findings into the framework are described here. Qualitative data analysis is conducted following the Miles and Huberman (1994) methodology of data reduction, data display and conclusion. Whereas within the data reduction phase the mass of qualitative data obtained through interview transcripts, observations, notes, etc. is reduced and organized, and non-relevant data is discarded, the analysis within the data display phase is displayed in the form of tables, charts and other graphical formats as a continual process. Finally, in the conclusion phase the analysis review is the basis to begin to develop conclusions and to verify and validate the study. The meanings from the data are tested for their plausibility and their validity.
Practitioners are selected based on their experience on dealing with supply chain risk and outsourcing transactions, who are mainly supply chain responsible persons within the firm object of the study. Defined standardize interviewees based on a general methodology relied on a pre-designed questionnaire were undertaken in order to avoid bias and to be able to approach a qualitative comparison. Thus, interviews took place at the aforementioned firm. Interviews were split into individual interviews and group interviews as part of a serial of Quality-Procurement circle meetings. Within those circle meetings, workshops based on the Scrum methodology, highlighting timebox, iteration between team members and co-workers and keeping an eye on User Stories from the client and firm perspective were conducted. A total of 7 practitioners were interviewed reviewing those user stories concerning expected supplier performances like statistics about parts delivered free of failure, on-time delivery performance, rapidly support from suppliers, bidirectional communication with suppliers, reaction time and level of trust with them. Applied analytical techniques relies to be appropriated for the theory and research objectives. Semi-structured interviews with middle-level managers were done, taking over one hour and mainly covering the following topics: • Details of the interviewee • Areas related to supply chain risks in the praxis • Triggers for supply chain risk evaluations • Strengths and weaknesses of current and past evaluations • Lessons learned and suggestions of current and past evaluations • Criteria to be considered during the supply chain risk evaluations • Functions involved in the supply chain risk evaluation process • Relevant financial consequences of supply chain risks This study analyzes the SSCRM from the buyer's perspective as it was done in the past by Cheng, Yip and Yeung (2012) in the Chinese business context. In order to build a robust process for the practical implementation of the SSCRM tool, a case study was required to validate the aforementioned guidelines of ISO 31000 and the requirements of ISO 9001. The case study was carried out using multiple sourcing of evidence such as supplier delivery contracts, supplier audit reports, firm's internal meetings reports, final reports and project plans. This helped to provide validity and reliability to the case study (Yin, 1994). The case study will be usefull in adittion to refining the proposed process and framework, to ilustrate how to implement and adapt the process into the firms and how to use the framework in a customized manner.

Findings from the Case Study
The firm required a standardized SSCRM process all along the different business units and manufacturing locations. However, existed clearly problems with the control of documentation and the way SSCRM approaches were conducted and documented depending on the participants involved. In addition to this, interviewees proposed potential improvements during the different workshops in order to standardize the process. The involvement of a multidisciplinary team was mentioned by all interviewees. A key input collected during the case study analyzed is the need to re-evaluate the effectiveness of the taken SSCRM actions, document changes done in writing and reassess them if proceed. Furthermore, we identified in the case study the need for improving the communication all along the firm, defining the criteria for monitoring, reporting and recording. A series of workshops were planned with the decision makers involved into the supply chain risk management process, so that the process can be evaluated for experienced managers dealing with supply chain risks. Along the process, the firm carries out all the stages proposed in Figure 2.
(1) Communication and consultation are conducted through regular meetings and documented in meeting minutes, second party audit reports, etc. The communication and consultation is both internal and external. The project leader or supply chain manager is responsible for providing the required monitoring information and provides interorganizational visibility regarding either the normality or abnormality of supply chain processes related to the fulfilment and delivery of a purchase order on-time. This is supported by Giannakis and Louis (2011). In our case study, risk owners are defined depending on the related material group or business unit. Thus, all suppliers are grouped into defined material groups.
(2) Establishing the scope, context and criteria: Procurement, business unit, material group and risk criteria. Based on approach to SSCRM: the risk mitigation approach could be either proactive or reactive. We identified in our case study the different directions in the SCRM field proposed by Ghadge, Dani and Kalawsky (2012), mainly: behavioural perceptions in risk management; sustainability factors; risk mitigation through collaboration contracts; visibility and traceability: risk propagation and recovery planning; industry impact; and holistic approach to SCRM.
The decision to choose the right SCR strategy is crucial and is found to be influenced by the behavioural aspect of supply chain managers. Therefore we proposed to take the decisions in workshops with trained supply chain managers taking into account the following characteristics: A) Sustainable factors are taken into account as part of the firm's internal and firm's supplier code of conduct definition. B) Development of long-term supplier partnerships and strategic alliances become a robust risk mitigation strategy. C) ERP system like SAP which is implemented in the firm provides visibility and traceability in order to proactrively monitor possible supply chain risks. D) The replenishment lead time of the products can be set at the firm's SAP for determine products under the Material Requirements Planning (MRP) in order to improve forecasts data. E) This risk management process should be adapted to the firm's need and firm's strategy. F) Product life cycle, quality risks like possible recalls and poor customer service should be considered to SSCRM.
The context was established in one of the firm's internal QM/Procurement meetings. It was pointed out the need to arrange a serial of workshops to improve the procurement process in general, and the SSCRM process considering the different business units and material groups in particular. The risk category-matrix was defined oriented on the scale's dimensions probability and impact from Wittmann (2000) and its implementation by Thun and Hoenig (2011) providing three different risk cathegories: (risk criteria are drawn in Figure 3). a) Green: Risk A; Low Risk-Minor; Risk is acceptable, actions are not required, but possible. b) Yellow: Risk B; Medium Risk; Risk shall be reduced, actions are required. c) Red: Risk C; High Risk; Risk is unacceptable, actions are required. Where Risk A is set for scores between 4 and 12, Risk B between 16 and 64 and Risk C from 80 until 320. The risk is calculated by the combination of the likelihood of occurrence the risk event with the importance of the risk and its consequences determined by a monetary assessment categorized. While the probability is categorized as Unlikely, Very low, Low, Moderate, and High, the risk importance is evaluated according to the following criteria, mainly: Insignificant <= 5000€; Low > 5000€ and <= 10000€; Critical > 10000€ and <= 50000€; Catastrophic with reversible damage>50000€ and <= 500000€; and Catastrophic with irreversible damage> 500000€.
(3) Risk assessment, is split into: (3.1) Risk identification During the first workshop, decision makers were split in two groups and they listed a number of opportunities and risks they face during the whole supply chain process, employing a brainstorming methodology. After the group work, both teams presented their results and a discussion took place.
(3.2) Risk analysis, SWOT-analysis, Ishikawa diagram In the second workshop, decision makers classified the listed opportunities and risks and grouped the repeated wording using a SWOT-analysis and Ishikawa diagram (see Figure 4). The following questions and topics were answered during the SWOT analysis (see Figure 5): • Which requirements are suitable? • Regular needs • Value high demand • Supply critical needs • What opportunities are hidden behind the strengths?
• What risks are hidden behind the weaknesses?
• What strengths do you have?
• What are your weaknesses? • Do we have the strengths to take advantage of our opportunities? • Do we have the strengths to handle risks?
• What risks are we exposed to because of our weaknesses? By the third workshop, decision makers evaluated the defined risks using a FMEA and agreed the risk evaluation criteria. The FMEA was adapted, removing the detection criteria from the Risk Priority Number (RPN) evaluation to simplify its utility and is illustrated in Figure 6.

(4) Risk treatment SSCRM plan
During the fourth workshop, a risk management plan with current and actual risk cases from all different material group categories was created and prioritized by the related risk owner and it was defined to re-evaluate the implemented corrective actions using the new RPN from the FMEA. From the proposed strategies defined by Manuj and Mentzer (2008) (avoidance, postponement, speculation, hedging, control, sharing/transferring, and security), we adopted the strategies defined by the Project Risk Management Guide defined by the Washington State Department of transportation (2018) which are aligned with them, mainly: Avoid, Transfer, Mitigate, Acceptance, Exploit, Share and Enhance.
Current risk events for each material group were defined, focusing on the determination of TOP5 risk events. Defined actions with insight into firm's supplier audit plan for the coming year 2019 were taken into account. SCRM plan is illustrated in Figure 7 and 8. (5) Monitoring and review, defined KPIs from the firm's score card are monitored. KPIs are defined and integrated into SAP. Thus, risk managers can review the past and current status of all the products and all qualified suppliers. Non qualified suppliers are removed from the data base. Thus, no one in the firm can purchase an order by them. By performing first and second party audits using visual RADAR diagrams or turtle methodology for process specific audits.
(6) Recording and Reporting meeting minutes, audit reports, SSCRM reports, recording at firm's SAP database (vendor master) and/or supplier contract management archive as part of the firm's sharepoint database.

Discussion and Conclusions
Our research results seem to be supported by researchers like Curkovic et al. (2013) who proposed the FMEA as a tool for the supply chain risk management evaluation. However, we considered their proposal only as a part of the entire SSCRM process and not as a sole process. In contrast to the research works of Rostamzadeh et al. (2018) who understood the sustainability concept on supply chain in terms of organizational sustainability, social responsibility and the environmental sustainability, we proposed the sustainable evaluation of external providers according to the requirements defined at the ISO 9001 (2015) (quality management), ISO 14001 (2015) (environmental management), ISO 50001 (2018) (energy management), ISO 45001 (2018) (occupational health and safety) and guidelines of ISO 26000 (2010) (social responsibility of organizations) certification standards. Among other important aspects, whereas environmental aspects comprise environmental accidents, pollution, non-compliance with sustainability laws, emission of gases, ozone depletion, energy consumption, excessive or unnecessary packaging, product waste, etc.; social aspects encompass pandemics, social instability, healthy, safe working environment, etc.
Following the past implementation of ISO 31000 within the supply chain risk management from Scannell et al. (2013), we updated the SSCRM literature based on the new release of the ISO 31000 in year 2018 focusing on the "leaderships" role and responsibility and highlighting the evaluation of external providers' corporate social responsibility.
Admittedly, the implementation of the SSCRM process requires the definition of relevant KPIs and monitoring them via a suitable and adapted IT system depending on the firms' needs.
The research presented in this paper has important implications for theory and practice in the supply chain in general and in procurement management in particular. Past literature reviews provided valuable results, but an update in the literature was required after the release of the new 31000 revision. Our findings from the case study support the statement from Tang and Musa (2011) posing that there is a "missing gap and potential in developing quantitative models" to resolve SSCRM decisions in a proper way. While Xanthopoulos, Vlachos and Iakovou (2012) posed to use a developed disruption risk management framework for different types of disruptions related among others to the supply of raw materials and the distribution system, our research proposes to implement the standardized framework from the ISO 31000 (2018) into specific use cases. Our research seems to be aligned with the need to formulate and prioritize the action of mitigation that the firm should pursue to reduce the probability of risk proposed by D'Amore et al. (2018). Indeed, we defined three risk levels in order to simplify the risk assessment and risk evaluation of possible risk events.
Contrary to past approaches like the research of Kern, Moser, Hartmann and Moder (2012) who developed a model for upstream supply chain risk management without taking into account the communication, consultation, recording and reporting stage, we believe that SSCRM is a process linked to the principles described in the ISO 31000 (2018) and the sustainable guidelines defined in the ISO 26000 (2010) to reduce overall corporate risk by implementing a customized and adapted framework.
One of the main benefits for the firm of applying the proposed process is the rapidly identification and evaluation of possible risk's events in a structured manner, standardizing the process with regard to the implementation of ISO 31000 (2018) guidelines so that risks can turn into opportunities to reduce supply chain disruptions. The case study validated the proposed process and verified its effectiveness by its step-by-step empirical implementation at the firm object of study and proposes managerial implications of good practices from the empirical research collected at the section 3.1. For instance, the need for using IT to monitor KPIs or the need for quantitative models, highlighting the importance of the leadership and the commitment of global supply chain managers. Purchase managers should be trained according to the internal firm's SSCRM process in order to standardize the evaluation of risks and avoid different behavioural perceptions of risk influenced by the behavioural aspect of purchase managers. This study is aimed to map the risks in the German industry and formulate risk mitigation alternatives to mitigate, avoid and prevent the risks. A combination of methods was proposed to select a set of proactive actions depending of the process stage in order to improve the process effectiveness and prevent or reduce supply disruption risks. The proposed SSCRM process will involve a two-stage implementation process: (1) the SSCRM process and (2) the managerial actions required to implement the SSCRM plan.
The systematic approach undertaken will provide future researchers and managers with an insightful understanding of the SSCRM field. Notwithstanding the above findings and contributions, this study faced a number of limitations and so do its outcomes. Firstly, a potential limitation of this study stems from the fact that our in-depth analysis focused exclusively on one case study, located in Germany. In addition, the firm object of study is a global player who identified a need to improve the supply chain risk management process, so that the firm can become a qualified object of study, and it allows the generalization of their findings with certain limitations. As a consequence, the comparison with other case studies from other regions was not evaluated. Secondly, this research work is not specifically focused on sustainability risks, but integrates them into the supply chain risk management process, highlighting their importance in contrast to past viewpoints of decision makers and researchers. Thirdly, the integration of the ISO 31000 framework and process into the firm showed efficiency in the SSCRM firm's process, but how is the acceptance of the ISO 31000 in other branches, regions and firms? Do firms find the ISO 31000 adoption understandable and useful? However, our findings seem to provide a valuable understanding of the current situation in this research field. The present study equally suggests several future research strands which may encourage more intensive studies in this important area. More qualitative research is needed to go deeper into the variety of different sustainable supply chain risks that require distinct assessment and risk strategies (avoidance, transference, acceptance, exploitation, sharing, enhancement, mitigation, etc.). Our proposed SSCRM process sheds light on the effects of upstream supply chain risk management activities on risk performance improvement. However, it would be interesting to investigate what other factors and criteria contribute to upstream sustainable supply chain risk performance. In our opinion, this article can prove useful for researchers and decision makers, since new trends and standards are emerging in both areas that will probably lead to future research and different ways of SSCRM implementation in firms. Definitively, there is room for future researchers on SSCRM field. The present paper will give rise to a new approach to studying SSCRM practices, taken into account also environmental and social risks like pandemics with the appropriated relevance.