Andreas Wieland works as a research associate at the Competence Center for International Logistics Networks in Berlin, funded by Kühne-Stiftung. He studied Business Information Systems at Technische Universität Clausthal, at the Royal Institute of Technology Stockholm (Sweden), and at the University of Münster (Germany) (areas of concentration: information systems and economics). He completed various internships and collected national and international work experiences. Within the Competence Center for International Logistics Networks, Andreas Wieland’s field of interest is security in global supply chains. Specifically, he is developing strategic solutions to integrate security aspects into supply chain management, and he researches the nature of secure supply chain topologies.

Introduction

In the aftermath of the September 11, 2001, attacks in the United States and attacks against conveyances, a lot of attention has been paid to securing supply chains against terrorist attacks: laws and regulations have been enacted, private initiatives have been founded, standards have been established, new technologies have been developed, and security management has been improved.

Besides terrorism, supply chains have always confronted crime. Though many companies still consider supply chain security to be just cumbersome requirements imposed by legislation, other companies recognize that the provision of supply chain security can be a step toward customer orientation and thus a competitive advantage.

In supply chain management, the sum of the participant’s single optimum will usually not lead to a total optimum. A holistic approach is therefore broadly accepted to consider both the supply chain as a whole and its elements in detail. ^{1, 2} This approach takes all participants into consideration far beyond the boundaries of individual companies³ when implementing an integrated management for the entire supply chain in spite of its decentralized nature. A transfer of the holistic approach in supply chain management to supply chain security can thus help to achieve it to an appropriate extent. A supply chain is as secure as its weakest element, since an attack against that element can lead to the collapse of the entire supply chain. This makes a holistic approach even more important.

However, the understanding of supply chain security still focuses on a set of many individual measures (security management measures such as contingency planning, security technologies such as electronic seals, and security regimes such as specific laws) rather than on a holistic approach that takes all of them into consideration and binds them together. No effective instrument can be found that helps to transfer a holistic security strategy defined in a macro view to the atomic elements of a supply chain managed in a micro view by pursuing a top-down approach. A realization of such an approach could be found in a framework that is able to integrate all core fields to achieve supply chain security systematically and consistently.⁴

A framework arranges elements and relationships of an original in a high level of abstraction using a selected structuring in an arbitrary language.⁵ Such a framework has been developed using reference modeling⁶ as a research methodology and is therefore an exemplary model for any supply chain in which security has to be integrated. Using it allows the implementation of a selected strategy for supply chain security.

Supply Chain Security

Sure enough, terrorism has become a major topic for security efforts in supply chains since the September 11, 2001, attacks. Security is not a new topic in supply chain management, though, because of the ever-present occurrence of ordinary crime, particularly theft, on which security regimes already focused. Besides these regimes, security efforts also result from the self-interest of a company to minimize crime-caused losses, which are cost-relevant problems for them. Additionally, today many customers expect a high security level as a component of a company’s service portfolio. In terms of customer orientation, security efforts may therefore be comparable to quality efforts and cannot be neglected by a company, especially when dealing with high-value or hazardous goods.

According to ISO 28000, security in a supply chain can be defined as “resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain.”⁷ Security can be achieved in the entire supply chain only if it is borne in mind at an early stage when planning the supply chain design to attach security as a fundamental feature. Furthermore, security must not be forgotten in the company’s everyday life, since even small security gaps may lead to tremendous harm, if they allow a perpetrator to destroy a building, steal freight, or even cause casualties. Supply chain security therefore needs to simultaneously address both the entire supply chain (the holistic view) and its constitutive elements (the atomic view).

On a more holistic level, one way to provide security is by planning the design of the supply chain, taking robustness into consideration. Supply chain robustness is defined “as the extent to which the supply chain is able to carry out its functions despite some damage done to it, such as the removal of some of the components in the logistical network.”⁸ On a more atomic level, technology can be used to secure specific elements of a supply chain—such as electronic seals to protect containers, immobilizer systems to protect trucks, and alarm systems to protect buildings. Security management, security technologies, and security regimes can be considered the pillars of supply chain security. These can jointly provide capable measures to enhance security.

A framework for supply chain security can be constructed by identifying elements of a generic supply chain that are relevant to improving its security and connecting them systematically. The framework can be used as a reference model to be applied to a specific supply chain. A broadly accepted supply chain definition is taken as a basis to identify typical elements of the system “supply chain” as follows.

Developments in the international business world led to the notion that firms are bound in a networked supply chain.⁹ A network can be treated as an interconnected system of nodes and their linkages. According to Martin Christopher, a supply chain is “the network of organizations that are involved, through upstream and downstream linkages, in the different processes and activities that produce value in the form of products and services in the eyes of the ultimate consumer.”¹⁰ Nodes in supply chains are thus organizations or—more detailed—locations of organizations, particularly in the form of buildings. Linkages are realized as routes of transport between these locations. However, looking only at nodes and linkages of supply chains would neglect the entire supply chain, especially when defining a security strategy and deducing an appropriate network topology.

Leveled Hierarchy

Now, a framework with six levels is presented. Every level represents a security-relevant view of a supply chain or a part of it and is explained in detail in the following sections. Figure 1 schematizes the framework. The levels are these:

1. Security strategy: At first, a security strategy for the entire supply chain is selected. The supply chain’s precise design is not defined in this level, but in the subordinate ones.
2. Network topology: A network topology is derived from the global security strategy (level 1) in level 2 by defining the number, type, and location of linkages and nodes (both treated as black boxes here) of the supply chain.
3. Linkage: Each linkage within the network (level 2) is further managed in level 3. Security measures for each route are selected and the conveyances (treated as black boxes here) are managed.
4. Conveyance: For each conveyance, security measures are selected in level 4 in accordance with the security requirements for the specific commodities (treated as black boxes here) transported in it.
5. Node: Each node within the network (level 2) is further managed in level 5, bequeathing the security requirements of level 2. Security measures for each building, place, or other immobile property have to be selected.
6. Commodity: Finally, for each commodity that can be found either in a conveyance or in a node, security measures are selected. This is managing the properties of a commodity and observing the commodity’s location.

Figure 1: Framework for supply chain security.

These levels are put into a hierarchy, although not a strict one, since both level 3 and level 5 are derived from level 2, and level 6 is derived both from level 4 and level 5. This systematic layout allows transmitting of strategy requirements used in a certain level to another (less abstract) level and enriching its application within the narrower context of the derived level by adding more operational details. The narrower the network scope in the subordinate levels, the more specific is the view of that part of the supply chain: The different scopes of the levels are depicted in figure 2. These specific levels are chosen because each of them focuses on an element or part of a supply chain that is relevant to supply chain security, and the focus of each level can be understood as a closed system for which security has to be managed. Additionally, each level represents a sphere of influence for a specific group of decision makers.

Orthogonally to these levels, three pillars are chosen to represent measures for management, regimes (laws and regulations, standards, and initiatives) and technologies in the context of supply chain security. Hence, the framework guides the user not only to refine a security strategy while transmitting it from level to level but also to bring the strategy in each level to operational life by choosing appropriate security measures—that is, level-specific best practices.

Figure 2: Scope of framework levels.

Level 1: Security Strategy

It is a fundamental idea of modern business management that supply chains, rather than individual businesses, compete for market share.¹¹ Accordingly, supply chain management abandons the traditional notion that single optima of enterprises will lead to a total optimum of the entire supply chain. Optimizing the supply chain must hence be focused. Security can be a valuable building block within a supply chain strategy and needs to be configured carefully. Level 1 directs a strategic macro view of the broad scope of security for the entire supply chain.

Distinctive for level 1 is a top management view of the supply chain, neglecting supply chain elements, such as buildings, routes, and conveyances, which are not viewed here. Configuring such elements is an operational task to be done in subordinate levels of the framework, understanding the security strategy of a supply chain as a fact there. The selection of the strategy in this level is therefore a crucial step to pave the way for supply chain security. The main purpose of the security strategy level is to define the overall security strategy for the supply chain. The appropriate relationship between security and costs—two dimensions with often conflicting aims—is to be chosen in this definition process. Particularly, supply chains for high-value or hazardous products will usually affect the selection of this relationship for the benefit of security. Here, the security strategy appropriate for product A may be improper for product B.

For example, the alignment of the security strategy may follow the customer focus of supply chain management. Many customers prioritize fast delivery or low costs. In contrast, a supply chain strategy that incorporates security aspects may be attractive for another, security-aware customer group. Security can hence be compared to quality, which is already broadly accepted as a valuable supplement to traditional cost-centered strategies.^{12, 13} Due to the large scope in level 1 that encompasses the entire supply chain, the responsibility for the definition of the security strategy is shared among all supply chain participants. If no overpowering participant usurps this responsibility, this makes it necessary to use collaborative supply chain management systems.¹⁴

Level 2: Network Topology

Now, when entering the black box “supply chain” mentioned before, it is considered as a network of nodes and linkages. Its architecture or topology is usually established for the middle term. The appropriate design of the network topology of a supply chain is crucial to achieving its robustness, which helps to enhance security. Due to a conflict of aims between robustness and efficiency within networks,¹⁵ configuring its topology is by no means trivial and has to be considered carefully. For that reason, the network topology of supply chains is centered in level 2 of the framework for supply chain security.

The network topology is derived from the strategy by concretizing the exact number, type, and location of linkages and nodes of the supply chain, bearing security considerations in mind. Both nodes and linkages are treated as black boxes here. A more specific treatment of the interior for these elements is later to be achieved in the subordinate levels. The main purpose of the network topology level is the derivation of the appropriate relation between robustness and efficiency from the overall security strategy defined in level 1. Real data and expertise about security characteristics of countries, enterprises, and routes have to be used when selecting proper nodes and linkages.

Figure 3: Redundant suppliers to improve supply chain robustness.

Prevalently, redundancy is sought to achieve robust and resilient supply chains.¹⁶ Christopher Tang in 2006 presented nine robust strategies for mitigating disruptions.¹⁷ Among them is a flexible supply base to handle demand fluctuations smoothly and to maintain a continuous supply of materials when a major disruption occurs (figure 3); another strategy is flexible transportation, for example when using multimodal transportation. Security can also be improved through real-time vehicle routing.¹⁸ Specific types of routes are more vulnerable than others. Two types of routes or two countries can be compared to learn about the frequency and impact of criminal and terrorist action to substantiate routing and location decisions. It is often not a single enterprise to build up the network topology of a supply chain from the drawing board. The ability to collaborate with partners is thus crucial in this level.

Level 3: Linkage

Linkages within a supply chain have been treated as black boxes so far. Physical conditions of routes and positions of conveyances in it have been neglected. A linkage is realized by a route (for example, street) and interfaces to adjacent nodes (for example, warehouses). In our framework, an independent level is necessary to concentrate attention on a specific linkage in detail rather than on the entire supply chain in general. Level 3 is established to focus on a single linkage between two nodes to instill security in this specific part of the supply chain.

The security characteristics of a linkage are derived from the network topology built up in level 2 by selecting security measures for each route and managing the conveyance within the linkage. Each conveyance is treated as a black box here and will be viewed granularly later on. Note that the implementation of level 3 has to be carried out repeatedly for each linkage of the supply chain due to different requirements respecting the peculiarities of each linkage. The main purpose of the linkage level is to define the degree of security for each linkage and to select corresponding security measures. An aspect such as costs for security of a linkage has to be considered when determining the appropriate degree of security. A linkage already begins on the sender’s premises and ends on those of the receiver.

Here, a linkage is seen as a closed system that has to be protected against disruptions both from the system’s environment and from inside the system. For example, a fleet management system can help to employ a set of conveyances appropriately. Tracking and tracing technologies deliver information about the status of a conveyance and about the shipment during its transportation via a linkage. This allows intervention when a disruption occurs. To minimize cargo theft and to protect drivers against violations, secure truck parking sites can be established. To protect a linkage against disruptions from outside, physical measures (such as a fence surrounding a railway track) can be imposed. The responsibility for a linkage is shared at least among sender, carrier(s), and receiver. Thus, to design security of a linkage, they have to arrange things with one another.

Level 4: Conveyance

Conveyances have been neglected in the aforementioned levels. A surjective relationship exists between a linkage and its conveyances (for example, various trucks can be used for a single street). Thus, case-based security measures have to be configured for each conveyance. Furthermore, the complexity of the inner life of a ship, truck, train, or plane requires particular attention to the configuration of its security.

The security characteristics of a conveyance are chosen in accordance with the security requirements of the associated linkage (level 3) by selecting appropriate security measures to protect the conveyance and its components inside. Each commodity is treated as a black box here. The implementation of level 4 has to be carried out repeatedly for each conveyance of the linkage. The main purpose of the conveyance level is to protect the system “conveyance” inside by examining and managing its components (such as driver and commodities) and from outside by considering its interfaces to the environment (doors, for example). Both crime and terrorism have to be considered here to avoid cargo theft, vandalism, aggression against a driver, and unauthorized insertion of material (such as chemicals, biologics, radioactive or nuclear material, or explosives).

Security training helps to enable drivers to avoid dangerous situations and prepares them for such situations—for example, when robberies are perpetrated. Furthermore, additional security staff can be equipped to increase security onboard a conveyance—on a ship, for example. Sensor technology (measuring, for example, light or temperature) and cameras can be used to detect incidents. Alarm systems use screaming signals to deter third parties from approaching a conveyance. Immobilizers can be used to prevent intruders from driving the conveyance. Usually a single enterprise possesses a conveyance. Thus, the configuration of security for a conveyance can be conducted without a complex coordination process.

Level 5: Node

Unlike linkages, nodes (such as harbors, airports, railway stations, plants, and warehouses) are tied to a certain location, making them less easily exchanged. Additionally, nodes possess specific, often security-relevant processes that cannot be found in linkages. Particularly, security measures to avert theft or terrorism differ between nodes and linkages. Although node-linkage interfaces have been compassed in level 3, security within nodes has not yet been conceived explicitly.

Security characteristics of a node are derived from the security requirements of level 2 and have to be adjusted with security required in adjacent linkages. Thereafter, security measures have to be selected for each building, place, or other immobile property. Commodities, which are treated as black boxes here, have to be managed properly. Again, the implementation of level 5 has to be carried out repeatedly for each node to satisfy node-specific requirements. The main purpose of the node level is to define the degree of security for each node and to select corresponding security measures. Level 5 aims to enhance security for internal processes in nodes and for interfaces with the world outside to shield threats from there. Components within the nodes (commodities) are managed in a security-supporting way.

Among physical security measures are appropriate fences or—using technology—alarm systems for a building. Access control can be used to protect premises. Here, biometrics can be applied to automate this concept. Besides physical measures, the management of a node can be designed in a way that comprises security considerations. For example, a business continuity plan can be established for each node to prepare for criminal acts and terrorist attacks. A single enterprise can possess various sites. Each site can be understood as node. A node is usually situated within the sphere of power of a single enterprise. This makes it easy to control security.

Level 6: Commodity

Commodities can be found in virtually the entire supply chain: in its nodes, linkages, and conveyances. Security measures to be managed for a commodity thus need to be selected regardless of its location. For example, physical security measures for a container will protect its content both when the container is situated in a warehouse and during its transportation in a truck. This requires an additional security level in the framework for supply chain security to protect commodities.

Products play a star role in supply chains and often dominate the security strategy for the entire supply chain. Security requirements for commodities are hence closely connected to the security strategy of their supply chain. Furthermore, security requirements for a commodity and for associated nodes and linkages have to fit together. The usage of this sixth level sheds light on the last black boxes, by glancing at commodities using a micro view. The commodity level’s primary purpose is to provide security for commodities and their constituents against a third party, such as a criminal who tries to steal components of a commodity from its covering box. Furthermore, it is purposed to protect commodities against direct impacts from a third party, such as a terrorist who tries to plant hazardous material in a container.

A necessary measure to enhance security for commodities is appropriate packaging. Non-transparent material may already help to prevent theft, because of the increased complexity that perpetrators face when trying to identify their object of desire in a storage space. However, usually more sophisticated solutions are needed. For example, bolt seals help to identify incidents during transportation. Electronic seals may even collect status information during the entire transport of containers. Smart containers store a set of sensors inside them to recognize intrusions or radioactivity. Responsibility for commodity security remains in the hands of several parties. Once put into a container, products are hard to be influenced until the container reaches the receiver. All participants thus have to guarantee security jointly. Standardization may help to minimize coordination between the parties.

Conclusions

Commonly, security is improved in companies by using operational measures. In accordance with a top-down approach, operational measures to improve security in a supply chain have to conform to a superior strategy. However, no effective system can be found that acts as a superstructure to join operational security measures and directs them to a superior strategy. This idea is fulfilled by the framework for supply chain security. Its six levels are interlinked hierarchically to assist in transferring a security strategy to the operational bottom of a supply chain. Level-specific security measures can then be selected to improve security, bearing in mind the security requirements of superordinate levels. A favored degree of security selected for the entire supply chain can finally be found in every node and linkage as well as in every commodity of a supply chain. Using different levels reduces the overall complexity to achieve security of a supply chain by segmenting the supply chain in manageable parts.

References

Click on an end note number to return to the article.

1. Goran Svensson, “Holistic and Cross-Disciplinary Deficiencies in the Theory Generation of Supply Chain Management,” Supply Chain Management, vol. 8, no. 4, 2003, pp. 303–316.

2. Martin Christopher, Helen Peck, and Denis Towill, “A Taxonomy for Selecting Global Supply Chain Strategies,” International Journal of Logistics Management, vol. 17, no. 2, 2006, p. 278.

3. O. K. Helferich and R. L. Cook, “Global Supply Chain Security,” in J. T. Mentzer et al. (ed.), Handbook of Global Supply Chain Management (Thousand Oaks, CA: Sage, 2007), p. 500.

4. H. Baumgarten and A. Wieland, “Lieferkettensicherheit,” in H. Wolf-Kluthausen, ed., Jahrbuch Logistik 2008 (Korschenbroich, 2008), pp. 190–193.

5. V. Meise, “Ordnungsrahmen zur prozessorientierten Organisationsgestaltung. Modelle für das Management komplexer Reorganisationsprojekte,” in Schriftenreihe Studien zur Wirtschaftsinformatik, Band 10 (Hamburg, Germany, 2001), p. 62.

6. J. Becker, M. Rosemann, and R. Schütte in 1995 presented generally accepted modeling principles. These have been incorporated into the modeling process for the framework for supply chain security. J. Becker, M. Rosemann, and R. Schütte, “Grundsätze ordnungsmäßiger Modellierung,” Wirtschaftsinformatik, vol. 37, no. 5, 1995, pp. 435–445.

7. ISO 28000:2007. Specification for Security Management Systems for the Supply Chain (Geneva, Switzerland: International Organization for Standardization, 2007), p. 2.

8. Yongyut Meepetchdee and Nilay Shah, “Logistical Network Design With Robustness and Complexity Considerations,” International Journal of Physical Distribution & Logistics Management, vol. 37, no. 3, 2007, p. 203.

9. Injazz J. Chen and Antony Paulraj, “Towards a Theory of Supply Chain Management: The Constructs and Measurements,” Journal of Operations Management, vol. 22, no. 2, April 2004, pp. 119–150.

10. Martin Christopher, Logistics and Supply Chain Management: Strategies for Reducing Cost and Improving Service, 2nd edition (London: Financial Times/Pitman, 1998).

11. Geir Gripsrud, Marianne Jahre, and Gøran Persson, “Supply Chain Management—Back to the Future?” International Journal of Physical Distribution & Logistics Management, vol. 36, no. 8, 2006, p. 645.

12. Donald J. Shemwell, Ugur Yavas, and Zeynep Bilgin, “Customer-Service Provider Relationships: An Empirical Test of a Model of Service Quality, Satisfaction and Relationship-Oriented Outcome,” International Journal of Service Industry Management, vol. 9, no. 2, 1998, pp. 155–168.

13. This led to the adoption of quality management approaches to security management, for example by inventing total security management. Compare this with the work of Luke Ritter, J. Michael Barrett, and Rosalyn Wilson in Securing Global Transportation Networks: A Total Security Management Approach (New York: McGraw-Hill, 2007), p. 19.

14. An overview of such systems can be found in Mohsen and Sharmin Attaran, “Collaborative Supply Chain Management: The Most Promising Practice for Building Efficient and Sustainable Supply Chains,” Business Process Management Journal, vol. 13, no. 3, 2007, pp. 390–404.

15. Yongyut Meepetchdee and Nilay Shah, “Logistical Network Design With Robustness and Complexity Considerations.”

16. Yossi Sheffi, The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage (Cambridge, MA: MIT Press, 2005), p. 171.

17. Christopher S. Tang, “Robust Strategies for Mitigating Supply Chain Disruptions,” International Journal of Logistics: Research and Applications, vol. 9, no. 1, March 2006, pp. 33–45.A. Tatarakis, and V. Zeimpekis, “Minimizing Logistics Risk Through Real-Time Vehicle Routing and Mobile Technologies: Research to Date and Future Trends,” International Journal of Physical Distribution & Logistics Management, vol. 34, no. 9, 2004, pp. 749–764.

18. G. M. Giaglis, I. Minis,