The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1741-0398.htm

Information risks management in Information risks

management
supply chains: an assessment and
mitigation framework
677
Mohd Nishat Faisal, D.K. Banwet and Ravi Shankar
Department of Management Studies, Indian Institute of Technology,
New Delhi, India

Abstract
Purpose – This paper aims to identify various information risks that could impact a supply chain,
and develops a conceptual framework to quantify and mitigate them.
Design/methodology/approach – Graph theory has been used to quantify information risks while
interpretive structural modelling (ISM) is employed to understand the interrelationships among the
enablers of information risks mitigation.
Findings – The research presents a classification of the enablers of information risks mitigation
according to their driving power and dependence. It also presents a risk index to quantify information
risks. The research suggests that management should focus on improving the high driving power
enabler variables.
Practical implications – The proposed risk index and the hierarchy-based model would help to
develop suitable strategies to manage information risks in supply chains.
Originality/value – The major contribution of this paper lies in the development of a framework to
quantify information risks and a hierarchy based model for their mitigation in context of supply
chains.
Keywords Supply chain management, Information management, Risk management, Graph theory
Paper type Research paper

Introduction
Today business environment worldwide is experiencing a shift towards a
knowledge-based economy where the performance of an enterprise depends much
on the performance of its partners in the value chain. It has been recognised that high
transactional cost will be involved if information cannot be effectively and efficiently
communicated with customers externally and with suppliers internally (Choy et al.,
2004). Value in a supply chain is generated by lowering the firm’s or partner’s cost of
sourcing or sales or increasing the service level. This can be achieved by using
information technologies designed to manage complex information flows within or
between firms (Biehl, 2005). Thus the 2000s are about the integration between
enterprises and inter-enterprise processes with information technology tools
particularly the internet playing the role of a major enabler (Kirchmer, 2004). The
use of information technology to share data between buyers and suppliers has resulted
in the growth of virtual supply chains (Yusuf et al., 2004; Christopher, 2000). In a Journal of Enterprise Information
Management
Vol. 20 No. 6, 2007
The authors would like to put on record their appreciation for the two anonymous referees and pp. 677-699
q Emerald Group Publishing Limited
the Editor for their valuable suggestions, which has significantly improved the quality of the 1741-0398
paper. DOI 10.1108/17410390710830727
JEIM virtual supply chain the main driver would be information rather than the actual
20,6 physical flow of goods.
Thus in recent time along with the physical supply chain, there is an emergence of
information supply chain. This information sub-chain focuses on the management of
information flows and represents a philosophy of managing technology and processes
in such a way that the enterprise optimises the delivery of goods, services and
678 information from the supplier to the customer (Búrca et al., 2005). Thus supply chains
can be viewed as an example of an IT-enabled inter-organisational configuration,
where the coordination of logistics processes between organisations is the key to good
performance (Lewis and Talalayevsky, 2004). Use of IT has facilitated the following
major processes in a supply chain (Sabki et al., 2004; Davenport and Brooks, 2004;
Stockdale and Standing, 2004; Shore and Venkatachalam, 2003; Motwani et al., 2000;
Brandyberry and White, 1999):
.
information sharing;
. better integration;
.
access to global markets;
.
global partnerships;
.
changed production methods;
.
improved customer service;
. enhanced collaboration;
.
reduced transaction costs;
.
product and service customisation;
.
increased agility; and
.
real time information capture.

So managing information in an inter-organisational context has become critical and the

emergence of the internet and the range of related e-business technologies have created
new opportunities and threats (Møller and ERP, 2005). Consequently the boundaries for
evaluation and management of risk should extend beyond just the enterprise or
company to include the risks that are inherited from the myriad of inter-organisational
relationships that represent upstream and downstream trading partners in the supply
chain, outsourcers, and other electronically connected business partners (Sutton, 2006).
These threats require new approaches in the field of risk management. But research
dealing with issues related to information risks from a supply chain perspective is
almost negligible. The dynamics of the extended enterprise necessitates development
of new models to understand these risks.
Today, the understanding about various information risks like virus, worms, and
trojans has increased and organisations have become more cautious in their approach
towards managing information. But the efforts to manage information risks generally
focus within the organisational boundaries and are fragmented in their approach, while
the increased stress to work on real time information facilitated by intranet, extranet
demand new initiatives to manage these risks. In this context this research tries to
address the issue of information risks as it relates to supply chains. This paper
develops a new conceptual framework for mitigating and quantifying information
risks in supply chains. To date, there has been limited research undertaken in this area Information risks
and so the findings should provide an impetus for organisations to re-consider their management
approach to information risk management. Further, making use of interpretive
structural modelling and graph theoretic approach the conceptual framework shows
that to mitigate information risks there is a need to understand the mutual
relationships among the enablers of risks mitigation and a suitable metric to quantify
these risks. 679

Literature review
Developing a taxonomy of information risks in supply chains
Information technology (IT) and information systems (IS) are widely acknowledged as
one of the major enablers of business change (Irani et al., 2002). But the developments
in information, computing and communication technologies together with the
consequent erosion of entry and trading barriers represent factors, which have altered
the commercial relationships fundamentally and simultaneously enhanced the risk
exposure (Ritchie and Brindley, 2000). According to Aven et al. (2007) risk is the
combination of the two basic dimensions: possible consequences and associated
uncertainties. Thus the assessment and management of risks require both the
probability of risky events and the losses to be understood and identified, and
compared by applying a semi-quantitative scale (Hallikas et al., 2004).
The focus of supply chain risk management (SCRM) is to understand, and try to
avoid, the devastating ripple effects that disasters or even minor business disruptions
can have in a supply chain (Norrman and Jansson, 2004). Speckman and Davis (2004)
classifies risks in a supply chain into:
.
physical dimension;
.
informational dimension;
.
financial dimension;
.
security dimension;
.
relationship dimension; and
.
corporate social responsibility dimension.

Harland et al. (2003) provides a list of 11 categories of risks, but misses the information
risks. Four basic approaches that a firm could employ to mitigate risks through a
collaborative and coordinated mechanism are supply management, demand
management, product management, and information management (Tang, 2006).
Following this information risk can be defined as “the probability of loss arising
because of incorrect, incomplete, or illegal access to information” and information risk
management as “the management of information risks in supply chain through
coordination or collaboration among the supply chain partners so as to ensure
profitability and continuity”. Risks associated with information have a wide variety of
impacts. While the impact of information security/breakdown risks are very evident
and immediate on supply chain operations, the impact of risk like intellectual property
are not immediate but are critical for overall supply chain viability in the long term. So
based on the type of impact that different information risks have on the supply chain,
they can be broadly classified as:
JEIM .
information security/breakdown risks;
20,6 .
forecast risks;
.
intellectual property rights risks; and
.
IT/IS outsourcing risks.

680 Information security/breakdown risks

Information sharing among supply chain partners is the key to beat competition in the
marketplace and so any breakdown or security breach in the information system
would be critical for the whole network. Various losses associated with such events
include immediate lost sales, emergency service cost, cost of restoring data, and
long-term loss of customer goodwill (Cardinali, 1998). The financial consequences of
information system failure make it necessary to develop a strong link between risk and
cost-benefit analysis (Maguire, 2002).
Some common information security risks are:
.
Hackers, viruses and worms. Viruses, worms and trojans are common menace to
information systems. In a supply chain Tier II and Tier III level suppliers who
are generally small and medium enterprises, are the ones most susceptible to
such problems. Common reasons are non-availability of funds and lack of
information security policy. Also as technology has made web an integral and
necessary part of a business operation, hackers are using this technique to find
confidential information which they use as backdoor entry into a company’s
innermost secrets (Ford and Ray, 2004).
.
Spyware. It is a program that resides on computers linked to the internet and
surreptitiously collects various types of personal information (Kucera et al.,
2005). So in a supply chain they may pose threat by illegal transfer of proprietary
information.
.
Internal employee frauds. This is one of the important information risks faced by
organisations. Some of the common reasons are employee attrition,
intentional/unintentional disclosure of proprietary information or in some
cases personal vendetta against the company.
.
Distributed denial of services attacks. The three most common categories of DDoS
are bandwidth consumption, resource starvation, and resource exploitation
(Zhang and Chen, 2005; Abouzakhar and Manson, 2002). These attacks interrupt
legitimate access to the networks that may ultimately result in interruption to
supply chain operations.
.
Natural disasters and terrorist attacks. Tsunami, hurricanes (e.g. Katrina and
Rita), fires or terrorist attacks like 9/11 have brought forth the importance of not
only data backup but have made organisations to seriously think of mirror sites
to keep the flow of information uninterrupted in a supply chain. Also the
omnipresent internet technology could be leveraged by the terrorists to sieve
contents of government web sites and find potential targets, identify or exploit
weaknesses, obtain and integrate disparate information (Halchin, 2004).
Forecast risks Information risks
Forecast risks results from a mismatch between a company’s projections and actual
demand (Chopra and Sodhi, 2004). All kinds of information distortions in a supply
management
chain, often lead to the forecast risks. It creates situations where the orders to the
supplier tend to have larger fluctuations than sales to the customer. Major causes of
information distortion are (Lee et al., 1997):
.
promotions and incentives that lead to forward buying; 681
.
lack of knowledge of end-customer demand at upstream locations leading to
inaccurate demand forecast updating;
.
order batching leading to higher volatility in orders;
.
price fluctuation; and
.
rationing and shortage gaming.

To reduce the impacts of information distortion in supply chains concepts like

“collaborative planning, forecasting and replenishment (CPFR)”, “efficient consumer
response (ECR)” and “vendor managed inventory (VMI)” are being implemented.
Companies like Saturn, Dell, Whirlpool, and Wal-Mart are sharing information with
suppliers and customers to decrease costs and improve customer service that helps in
reducing forecast risks (Dennis and Kambil, 2003; Handfield and Nichols, 1999).
Intellectual property rights (IPR) risks
Intellectual property right (IPR) is a right given over a creation of the mind and to
exclusively exploit it for a certain period of time. In a supply chain context ownership
of knowledge and its legal use in cooperative development activities to make rapid
innovations with quick diffusion to the market place and fair sharing of benefits will be
the key means to success (Ganguli, 2000). With a growing trend for outsourcing
non-core activities, risks associated with intellectual property have become important.
In the last decade China and India has emerged as low cost destinations but these
countries have a poor track record of IP protection. Also in many cases suppliers are
serving competitors, aggravating the fears of proprietary information leakages in a
supply chain. In a turbulent business environment customers have many choices
available and thus intellectual property is the key to survival (whole of the software
business survival lies on IP protection). Understanding and managing risks associated
with intellectual property are important because:
.
uniqueness of product/services defines a supply chain’s position in the market;
.
intellectual property creation is an investment intensive activity; and
.
although it takes exhaustive efforts for creation, it can be easily replicated.

IT/IS outsourcing risks

Pervasive adoption of IT has made information technology outsourcing (ITO) a
growing multi-billion dollar industry (Cullen et al., 2005). IT outsourcing is broadly
defined as a decision taken by an organisation to contract-out or sell the organisation’s
IT assets, people and/or activities to a third-party supplier, who in exchange provides
and manages assets and services for monetary returns over an agreed time period
(Kern and Willcocks, 2000). Bahli and Rivard (2005) have identified various risk factors
associated with IT outsourcing and for each risk factor; measures were either identified
JEIM in the literature or were developed. Advantages of IT/IS outsourcing include cost
20,6 reduction, service quality improvement, access to state-of-the-art technology, and an
increased ability to focus on the “core business”. But along with the advantages, IT/IS
outsourcing also brings with it several risks as summarised in Table I.
To reduce the risks associated within the context of large-scale single supplier
outsourcing, approaches like “value-added” outsourcing whereby vendor and client
682 combine their capabilities to market IT products and services; client and vendor taking
equity holdings in each other; “co-sourcing”, involving “performance-based” contracts;
and the creation between the vendor and client of a “spin-off” company selling IT
services on to the wider market are being practiced (Willcocks et al., 1999).

Enablers of information risks mitigation

Mitigation of information risks requires collective efforts from supply chain partners.
For reducing information risks in a supply chain, mutual trust for long-term
relationships and the confidentiality of information among partners is a necessity
(Kilpatrick and Factor, 2000). Lack of trust and dependence on outsourcing are two
major reasons that contribute to supply chain risks (Sinha et al., 2004). Information
sharing that provides a shared basis for concerted actions by different functions across
interdependent firms (Whipple et al., 2002) is an important enabler of information risks
mitigation. Where information is transparent there is a high level of trust and
commitment (Christopher, 2000). Fisher (1997) indicates that supply chain
collaboration leads to cohesive market focus, better coordination of sales and
demand fulfilment, and minimum risks associated with forecasting. Information risks
like system breakdown can be reduced by a reliable IT infrastructure that is not
achievable without funds being available (Bender, 2000). Under these situations, the
role of top management assumes significance (Kilpatrick and Factor, 2000). Lee et al.
(2000) have analysed the benefits of sharing information on demands and/or inventory
levels between suppliers and customers that helps to reduce forecast risks. This
necessitates collaborative planning among supply chain members (Hoyt and Huq,
2000). Further the efficient management and operation of business processes like that
in a supply chain are considered closely aligned with the development of a
comprehensive IT/IS infrastructure (Sharif and Irani, 1999). The greater the degree of
coupling or integration between the information systems of trading parties, the greater
the degree of coordination and collaboration that can be achieved (White et al., 2005).
Supply chain partnership leads to increased information flows, reduced uncertainty,
and a more profitable supply chain resulting in a higher quality, cost-effective product
in a shorter amount of time (Fiala, 2005). Support to partners is facilitated by incentive

SN IT/IS outsourcing risks Contributors

1. Opportunism of vendors Barthélemy (2003)

2. Information security apprehension Khalfan (2004)
3. Hidden costs Collins and Millen (1995)
4. Loss of control Lacity and Hirschheim (1993)
5. Service debasement Bahli and Rivard (2005)
Table I. 6. Disagreements, disputes and litigations Earl (1996)
IT outsourcing risks 7. Poaching Walden and Hoffman (2007)
alignment that refers to the degree to which supply chain members share costs, risks, Information risks
and benefits (Simatupang and Sridharan, 2004). management
Research objectives
The focus of this paper is on information management, particularly on the mitigation
aspect of various information risks that could impact the flow of information in a
supply chain network. The major objective is to contribute and provide a better 683
understanding of information risk management in supply chains.
The main research problems addressed by the study are:
(1) What information risks are associated with supply chains?
(2) What kind of interrelationships exits between these information risks?
(3) How can these risks be estimated?

Methodology
To address the above questions, a framework is proposed that integrates interpretive
structural modelling (ISM) and graph theoretic approach. A brief discussion on the
rationale for choosing these two approaches is presented followed by research design and
data collection. Ill-defined problems tend to be dynamic problems that involve human
factors. Soft systems methodology (SSM) is generally used for dealing ill-defined problems
as to what shall be done, because at the onset there is no obvious or clearly defined
objective. But the main limitation of SSM is that it can be used to solve only some ill-parts
of the system and not for building the system as a whole (Ravi et al., 2005). The structural
equation modelling (SEM) is a confirmatory approach to data analysis requiring a priori
assignment of inter-variable relationships. It tests a hypothesised model statistically to
determine whether it is valid with the sample data (Schumacker and Lomax, 1996). One of
the limitations of SEM is that it requires the statistical data to obtain results.
Information risks mitigation in a supply chain depends on a number of variables. A
model depicting relationships among key variables would be of great value to the top
management to delineate the focus areas. ISM can rightly be employed under such
circumstances because on the basis of relationship between the variables, an overall
structure can be extracted for the system under consideration. The ISM process
transforms unclear, poorly articulated mental models of systems into visible,
well-defined models useful for many purposes (Sage, 1977). Further, there is also a need
to quantify information risks so that the management can understand the contribution
of various classes of information risks and whether their efforts to mitigate these risks
are yielding the desired results or not. The impact of information risks in a supply
chain is dependent upon several sub-variables and thus the overall impact is the result
of the individual impact of the sub-variables and their interrelationships. This dynamic
behaviour of various information risks can be quantified with the help of graph
theoretic approach. Thus an index that would quantify the information risks in a
supply chain would be developed by extending the graph theory in the domain of
information risk management in a supply chain.

Research design
Interpretive structural modelling. Interpretive structural modelling can be used for
identifying and summarising relationships among specific variables, which define a
JEIM problem or an issue (Sage, 1977; Warfield, 1974). It provides a means by which order
20,6 can be imposed on the complexity of such variables. Researchers have applied ISM to
analyse variety of systems (Faisal et al., 2006a; Jharkharia and Shankar, 2005; Bolaños
et al., 2005). In ISM a set of different and directly related variables affecting the system
under consideration is structured into a comprehensive systemic model. Therefore, in
this paper, the enablers of information risks mitigation have been analysed using the
684 ISM methodology, which shows the interrelationships of the enablers and their levels.
These enablers are also categorised depending on their driving power and dependence.
The various steps involved in the ISM methodology are as follows:
.
Step 1: variables affecting the system under consideration are listed, which can
be objectives, actions, and individuals etc.
.
Step 2: from the variables identified in step 1, a contextual relationship is
established among variables with respect to which pairs of variables would be
examined.
.
Step 3: a structural self-interaction matrix (SSIM) is developed for variables,
which indicates pairwise relationships among variables of the system under
consideration.
.
Step 4: reachability matrix is developed from the SSIM and the matrix is checked
for transitivity. The transitivity of the contextual relation is a basic assumption
made in ISM. It states that if a variable A is related to B and B is related to C, then
A is necessarily related to C.
.
Step 5: the reachability matrix obtained in step 4 is partitioned into different
levels.
.
Step 6: based on the relationships given above in the reachability matrix, a
directed graph is drawn and the transitive links are removed.
.
Step 7: the resultant digraph is converted into an ISM, by replacing variable
nodes with statements.
.
Step 8: the ISM model developed in step 7 is reviewed to check for conceptual
inconsistency and necessary modifications are made.

Graph theoretic model. Graph theoretic approach considers the physical or abstract
structure of a system explicitly or implicitly and can handle them conveniently.
Graph/digraph model representation has proved to be useful for modelling and
analysing various kinds of systems and problems in numerous fields of science and
technology (Faisal et al., 2006b; Rao and Padmanabhan, 2006; Chen, 1997). The graph
theoretic methodology consists of the digraph representation, the matrix
representation and the permanent function representation. While the digraph is the
visual representation of the characteristics and their interdependencies, the matrix
converts the digraph into mathematical form and the permanent function is a
mathematical model that helps to determine index. Various steps of this approach are
presented in Figure 1.
Data collection. For the purpose of identification of variables that facilitates the
process of information risks mitigation in supply chains; four small and medium
enterprises (SMEs) clusters were identified. These were brass cluster, lock cluster,
leather cluster and the ceramic cluster. Majority of the companies in these four clusters
 Information risks
management

685

Figure 1.
Flow chart for graph
theoretic approach

are sole proprietorships and family owned businesses. In each cluster enterprises that
were the top ten export earners in the district industries centre exporters directory were
selected. This criterion was deliberately chosen because these organisations are
members of the supply chain that extends beyond the geographical boundaries of the
nation and consequently depends largely on the flow of information to provide the
right products in right quantities at the right place. In the first phase, an initial visit to
the selected organisations was undertaken to understand their use of IT to manage
supply chain operations. Further using semi-structured questionnaire technique,
interviews were conducted. The personnel interviewed were in charge of the IT
function in the selected organisations. One of the major findings was the fact that
although these SMEs are in the process of integrating various IT enabled processes in
their supply chains, few had a comprehensive information risks mitigation strategy in
place. In the second phase a formal invitation was extended to these companies to
nominate their representatives for the workshop. But from the selected organisations
only 13 experts participated, while rest cited non-availability of time, lack of
knowledge, and no expertise in IT function as the major reasons for non participation.
To moderate the discussion two academicians working in the area of supply chain
management also participated in the workshop.
Before the workshop, literature related to information risk management was posted
to the participants to familiarise them with the formal categorisation of information
risks as it relates to supply chains. Then in the brainstorming session participants
were asked to identify and define enablers of information risks mitigation in the supply
chain. After two brainstorming sessions fifteen enablers were agreed upon, which were
finally reduced to 12 as some overlapped and some were combined. Then the experts
were also asked to identify the mutual relationships among the variables. In the last
session of the workshop a list of variables as identified and the diagram representing
the mutual relationship was circulated among the participants for any modification.
JEIM With a consensus on these 12 variables among the experts they were used to develop
20,6 the ISM based model. The selected variables are:
(1) Information sharing among supply chain (SC) partners.
(2) Supply chain wide strategies to mitigate information risks.
(3) Level of supply chain integration.
686 (4) Collaborative relationships among supply chain (SC) partners.
(5) Support to partners.
(6) Reliable IT/IS infrastructure.
(7) Top management commitment.
(8) Trust among supply chain (SC) partners.
(9) Awareness about information risks.
(10) Availability of funds to implement SC wide information risk mitigation
strategies.
(11) Incentives alignment.
(12) Metrics for continual information risks assessment and analysis.

Analysis of interaction among the enablers of information risks mitigation

Structural self-interaction matrix
Contextual relationship of “leads to” type is chosen which means that one variable
helps to achieve another variable. Based on this, contextual relationship between the
variables as identified in data collection stage is developed. Keeping in mind the
contextual relationship for each variable, the existence of a relation between any two
enablers (i and j) and the associated direction of the relation is questioned. Four
symbols are used to denote the direction of relationship between the enablers (i and j):
(1) V: enabler i will help to achieve enabler j.
(2) A: enabler i will be achieved by enabler j.
(3) X: enabler i and j will help achieve each other.
(4) O: enablers i and j are unrelated.

Based on the opinion of experts Table II is developed.

Reachability matrix
The SSIM is transformed into a binary matrix, called the initial reachability matrix by
substituting V, A, X, O by 1 and 0 as per the case. The rules for the substitution of 1’s
and 0’s are the following:
.
If the (i, j) entry in the SSIM is V, then the (i, j) entry in the reachability matrix
becomes 1 and the ( j, i ) entry becomes 0.
.
If the (i, j) entry in the SSIM is A, then the (i, j) entry in the reachability matrix
becomes 0 and the ( j, i ) entry becomes 1.
.
If the (i, j) entry in the SSIM is X, then the (i, j) entry in the reachability matrix
becomes 1 and the ( j, i ) entry also becomes 1.
 Information risks
Enablers 12 11 10 9 8 7 6 5 4 3 2
management
1. Information sharing V V V A X V A V X A V
2. Supply chain wide strategies V X V A A X A V A A
3. Level of supply chain integration V V V X V V X V V
4. Collaborative relationships V V V A X V A V
5. Support to partners V A A A A A A 687
6. Reliable IT/IS infrastructure O O V X O O
7. Top management commitment V V V A A
8. Trust among partners V V V A
9. Awareness about information risks V V V
10. Availability of funds V A Table II.
11. Incentives alignment V Structural self interaction
12. Metrics for assessment and analysis matrix (SSIM)

.
If the (i, j) entry in the SSIM is O, then the (i, j) entry in the reachability matrix
becomes 0 and the ( j, i ) entry also becomes 0.

Following these rules and after incorporating transitivities final reachability matrix for
the enablers is shown in Table III.

Level partitions
From the final reachability matrix, the reachability and antecedent set (Warfield, 1974)
for each enabler are found. The reachability set consists of the element itself and the
other elements that it may impact, whereas the antecedent set consists of the element
itself and the other elements that may impact it. Thereafter, the intersection of these
sets is derived for all the enablers. The enablers for whom the reachability and the
intersection sets are the same occupy the top level in the ISM hierarchy. The top-level
element in the hierarchy would not help achieve any other element above its own level.
Once the top-level element is identified, it is separated out from the other elements.
Then, the same process is repeated to find out the elements in the next level. This
process is continued until the level of each element is found (Tables IV and V). These
levels help in building the digraph and the final model.

Enablers 1 2 3 4 5 6 7 8 9 10 11 12 Driver

1. Information sharing 1 1 0 1 1 0 1 1 0 1 1 1 9
2. Supply chain wide strategies 0 1 0 0 1 0 0 0 0 1 1 1 5
3. Level of supply chain integration 1 1 1 1 1 1 1 1 1 1 1 1 12
4. Collaborative relationships 1 1 0 1 1 0 1 1 0 1 1 1 9
5. Support to partners 0 0 0 0 1 0 0 0 0 1 0 1 3
6. Reliable IT/IS infrastructure 1 1 1 1 1 1 1 1 1 1 1 1 12
7. Top management commitment 0 1 0 0 1 0 1 0 0 1 1 1 6
8. Trust among partners 1 1 0 1 1 0 1 1 0 1 1 1 9
9. Awareness about information risks 1 1 1 1 1 1 1 1 1 1 1 1 12
10. Availability of funds 0 0 0 0 1 0 0 0 0 1 0 1 3
11. Incentives alignment 0 1 0 0 1 0 0 0 0 1 1 1 5
12. Metrics for assessment and analysis 0 0 0 0 0 0 0 0 0 0 0 1 1 Table III.
Dependence 6 9 3 6 11 3 8 6 3 11 9 12 Final reachability matrix
JEIM
Enabler Reachability set Antecedent set Intersection set Level
20,6
1 1,2,4,5,7,8,10,11,12 1,3,4,6,8,9 1,4,8
2 2,5,10,11,12 1,2,3,4,6,7,8,9,11 2,11
3 1,2,3,4,5,7,8,9,10,11,12 3,6,9 3,6,9
4 1,2,4,5,7,8,10,11,12 1,3,4,6,8,9 6,8,9
688 5 5,10,12 1,2,3,4,5,6,7,8,9,10,11 5,10
6 1,2,3,4,5,6,7,8,9,10,11,12 3,6,9 3,6,9
7 2,5,7,10,11,12 1,3,4,6,7,8,9 7
8 1,2,4,5,7,8,10,11,12 1,3,4,6,8,9 1,4,8
9 1,2,3,4,5,6,7,8,9,10,11,12 3,6,9 3,6,9
10 5,10,12 1,2,3,4,5,6,7,8,9,10,11 5,10
Table IV. 11 2,5,10,11,12 1,2,3,4,6,7,8,9,11 2,11
Iteration I 12 12 1,2,3,4,5,6,7,8,9,10,11,12 12 I

Iteration Enabler Reachability set Antecedent set Intersection set Level

II 5 5,10 1,2,3,4,5,6,7,8,9,10,11 5,10 II

II 10 5,10 1,2,3,4,5,6,7,8,9,10,11 5,10 II
III 2 2,11 1,2,3,4,6,7,8,9,11 2,11 III
III 11 2,11 1,2,3,4,6,7,8,9,11 2,11 III
IV 7 7 1,3,4,6,7,8,9 7 IV
V 1 1,4,8 1,3,4,6,8,9 1,4,8 V
V 4 1,4,8 1,3,4,6,8,9 1,4,8 V
V 8 1,4,8 1,3,4,6,8,9 1,4,8 V
VI 3 3,6,9 3,6,9 3,6,9 VI
Table V. VI 6 3,6,9 3,6,9 3,6,9 VI
Iteration II-iteration VI VI 9 3,6,9 3,6,9 3,6,9 VI

Building the ISM model

From the final reachability matrix (Table III), the structural model is generated. If there
is a relationship between the enablers i and j, this is shown by an arrow which points
from i to j. This graph is called a directed graph, or digraph. After removing the
transitivities the digraph is finally converted into the ISM-based model (Figure 2).

MICMAC analysis
The objective of MICMAC analysis (Faisal et al., 2006a; Mandal and Deshmukh, 1994)
in this study is to identify and to analyse the variables according to their driving power
and dependence power towards information risks mitigation. Based on the driving
power and the dependence, these enablers have been classified into four categories:
(1) Autonomous enablers.
(2) Dependent enablers.
(3) Linkage enablers.
(4) Independent enablers.

The driver power and dependence of each of these enablers is found from Table III and
then a driver power-dependence diagram is constructed as shown in Figure 3.
Information risks
management

689

Figure 2.
ISM based model for
information risk
mitigation in a supply
chain

Figure 3.
Driver power and
dependence diagram
JEIM In this classification, the first cluster includes “autonomous enablers” that have a weak
20,6 driver power and weak dependence. These enablers are relatively disconnected from
the system. In the present case, there is no autonomous enabler. The second cluster
consists of the dependent variables that have weak driver power but strong
dependence. In the present case, enablers 2, 11, 5, 10 and 12 are in the category of
dependent variables. Enabler 12 has the maximum dependence, indicating that the
690 effectiveness of any metric to evaluate the information risks is dependent on all the
other variables. The third cluster includes linkage variables that have strong driver
power and dependence. Any action on these variables will have an effect on the others
above them and also a feedback effect on themselves. In this case, enabler 7 is the
linkage variable that implies that all the enablers above this level would be impacted
by this while it is dependent on lower level variables of the ISM model. The fourth
cluster includes independent variables with strong driver power and weak dependence.
In this case, enablers 1, 4, 8, 3, 6 and 9 fall in the category of driver enablers. But
maximum driving power is for enablers 3, 6, 9. These are awareness about information
risks, level of supply chain integration and reliable IS/IT infrastructure. These
variables are the most important variables that influence the impact of other variables
appearing at the top of the ISM hierarchy in the overall information risks mitigation
process, implying that management needs to address these enabler variables more
carefully in the supply chains.

Quantification of information risks

In the ISM model developed in the previous section the topmost enabler is the metrics
for continual assessment and analysis of information risks. Measurement of
information risks is important to understand their contribution to overall risk
susceptibility of the supply chain, and also to determine the impact of the efforts to
mitigate them. It would facilitate the process of devising suitable strategies to alleviate
these information risks. To quantify information risks, graph theoretic approach
would be employed through which individual contribution and the relative
interdependencies among various categories of information risks can be captured.

Identification of system variables

Elements that are a potential information risk in a supply chain are identified. In this
case following the information risks taxonomy the four variables are:
(1) Information security/breakdown risks (I1).
(2) Forecast risks (I2).
(3) Intellectual property rights risks (I3).
(4) IS/IT outsourcing risks (I3).

Develop the digraph

Digraph provides a graphical representation of the variables and their relative
importance for a quick visual appraisal of the system under consideration. In a digraph
a node represents information risk variable and edges represent the interrelationships
among the variables. For developing the digraph representing information risks as a
system, the four sub-systems considered are: information security/breakdown risks,
forecast risks, intellectual property rights risks, and IT/IS outsourcing risks. These
sub-systems may further have attributes, like IS outsourcing risks sub-system can Information risks
have hidden costs, loss of control, service debasement as variables. Then each of the management
sub-system is analysed from the point of view of its attributes and then the next level
for analysis is followed. But for the sake of simplicity the four sub-systems are
considered as single variables impacting the information risks system. Digraph
representing the four variables and their interdependencies is represented in Figure 4.
691
Transform the digraph into matrix form
Digraph is then transformed into matrix representation. The matrix would be M £ M
matrix where M is the number of variables considered. In this matrix the diagonal
elements represents the inheritances, i.e. the impact of individual variables and off
diagonal elements represents interdependencies or relative impacts. The digraph
representing the four variables and their relative interdependencies as shown in
Figure 4 is converted into a 4 £ 4 matrix as per equation (1):

0 1
I1 i12 i13 0
B C
B 0 I2 0 0C
* B C
I ¼B C ð1Þ
B 0 0 I3 0C
@ A
i41 0 i43 I4

Translate the matrix into permanent function

The permanent of this matrix I *, i.e. per (I *), is defined as the universal information
risk function. Permanent is a standard matrix function and is used in combinatorial
mathematics (Harary, 1985). It is a mathematical equation used to determine an index
(Jense and Gutin, 2000). The permanent function does not contain any negative sign
and thus no information is lost. Using this function, matrix would be transformed into
an equation. For a 4 £ 4 matrix permanent function is given by equation (2):

Figure 4.
Digraph representing the
four information risks
variables
JEIM *
Y
4 XXXX XXXX
PerðI Þ ¼ Ii þ ði12 i21 ÞI 3 I 4 þ ði12 i23 i31 þ i13 i32 i21 ÞI 4
20,6 i¼1 1 2 3 4 1 2 3 4

8 9
<XXXX XXXX =
þ ði12 i21 Þði34 i43 Þ þ ðði12 i23 i34 i41 Þ þ ði14 i43 i32 i21 ÞÞ ð2Þ
: 1 2 3 4 1 2 3 4
;
692
So for the system under consideration as represented by equation (1) the permanent
function would be:
*
PerðI Þ ¼ I 1 I 2 I 3 I 4 ð3Þ

This equation can be termed as information risk index of the supply chain.

Substitute the values of the variables and obtain a single numerical index
To obtain the value of information risk index the values of inheritances (Ii) are
required. These values can be obtained with the help of experts and in the absence of
any quantitative data; a ranked value judgement on a suitable scale can be adopted.

Tabulate the results of the index and suggest suitable strategies

Values of information risk index can be used to assess information risks vulnerability
of supply chains. Based on the values of the index, strategies to mitigate risks can be
evolved. This approach quantifies the various variables making it simple to
understand the deficient areas for effective information risks mitigation. Also
information risk index can be used to compare supply chains working in different
domains or for the same supply chain at different time periods.

Discussion
The importance of developing a robust and responsive information technology (IT) and
information system (IS) infrastructure to support the formal planning and control of
business processes is increasing in importance (Irani, 2002). Supply chain represents
one such process where companies are constantly linked to their suppliers,
distributors, third-party logistics service providers, financial providers, with whom
they share up-to-date information (Bertolini et al., 2004) and thus any accident or failure
at any link is sure to have ripple effects in the overall supply chain. The ISM model
developed in this paper provides the managers with an opportunity to understand the
focal areas that needs attention to minimise the risks to the real time and free flow of
information.
Though the capability of IT to reduce coordination and transaction costs and risks
particularly related to bullwhip has been recognised (Lewis and Talalayevsky, 2004)
management of risks associated with the information flow is yet become a part of
overall strategy in supply chain management. So from a strategic perspective, this
paper provides a comprehensive framework, which incorporates diversified issues
related to information risks management in a supply chain. The framework suggested
in the paper integrates graph theory and interpretive structural modelling which not
only leads to a logical result, but also enables the decision-makers to quantify the
impact of various variables of information risks in the final outcome.
 As information visibility across the supply chain should be managed with strict Information risks
policies, disciplines and monitoring (Búrca et al., 2005), the information risk index that management
quantifies the various information risks is an effort in this direction. It would be a tool
to monitor the supply chain’s susceptibility to information risks. Also using this index
supply chains can be benchmarked against the best practices in managing information
and developing strategies to reduce the impacts of the disruptive events. In the wake of
new risks because of integrated supply chains, organisations need to move beyond 693
their organisational boundaries to assess the risks. The new approach requires the
involvement of suppliers and sub-suppliers to identify, assess, and develop strategies
to manage risks.
Information-based collaborative supply chains are emerging in industries as diverse
as automobiles, grocery retailing and apparel manufacturing (Christopher and Lee,
2004) and the next phase would be actual system interoperability among suppliers,
customers, and other business (Davenport and Brooks, 2004). ISM model delineates the
areas like trust among supply chain partners, information sharing where collaborative
efforts are required to mitigate information risks. This necessitates that all the partners
understand their responsibility in the supply chain towards risks mitigation.
Lately the focus in the area of supply chain management is on concepts like
adaptability, responsiveness, agility and leanness. These concepts depend to a large
extent on real time information availability to all the partners. This makes the impacts
of information failure more widespread. The models developed in this research gives
opportunity to the management to quantify risks in lean or agile environments and
develop suitable strategies to manage them.

Limitations and scope for future work

In the present study 12 variables were identified for modelling the information risk
mitigation through ISM. More number of variables affecting information risks
mitigation in a supply chain can be identified to develop ISM. Experts’ help have been
sought to develop the contextual relationships for the ISM model, which may have
introduced some element of bias. Through ISM, a relationship model among
information risks mitigation variables in a supply chain has been developed but this
model is not statistically validated. In future extension of this work it is proposed to
apply structural equation modelling (SEM) technique, commonly known as linear
structural relationship approach to statistically corroborate the findings from ISM
model. In the graph theoretic model, for the sake of simplicity the subsystems within
these each system of risks were not considered. This is one of the major limitations in
the development of information risk index. So in future work the subsystems may be
considered and the impacts and interrelationships among the subsystem variables can
be taken into account. Also the interrelationships among the variables as represented
by the digraph are based on the opinion of experts that again may have some bias.
Further the proposed index may be evaluated for case supply chains to understand its
behaviour in actual practical settings.

Conclusions
This paper has presented an argument that to mitigate information risks; there is a
need to understand the interrelationships among the enablers of risks mitigation.
However, the research in the area of supply chain and information management is yet
JEIM to formalise risks associated with information in a supply chain context. This has
20,6 prompted the authors to identify and develop taxonomy of information risks that could
impact a supply chain.
Risk management remains a complex management process, largely due to its
dependency on a number of variables that are difficult to quantify in exact terms. The
contribution of this paper is to construct an integrated framework for information risks
694 mitigation and quantification. The framework will guide the supply chain and IT
managers to understand and manage risks related to information in a supply chain. In
this paper twelve variables were identified, which would help to mitigate information
risks in supply chains. The awareness of these enablers and their driver and
dependence power is important for information risks mitigation since management can
now focus on those variables which are of more strategic orientation.
Along with the identification of enablers of risks mitigation this paper has also
presented an approach to quantify information risks. This would help the
decision-makers to estimate the impacts of various information risks and
consequently develop suitable strategies to counter them. Therefore, to have a
robust comprehensive information risks mitigation policy in place, it is necessary for
supply chain and IT managers to not only understand various information risks
mitigation variables but also the mutual relationships among them. The framework
developed in this research has brought forth the following key issues:
.
Variables like awareness about information risks, reliable IT/IS infrastructure
and, level of supply chain integration have strong driver power and less
dependency. Therefore, these are strong drivers and can be treated as the key
enablers. They should be taken care on priority basis because there are a few
other dependent variables being affected by them.
. The driver power-dependence diagram (Figure 3) indicates that there are no
autonomous variables in the process of information risks mitigation in a supply
chain. Autonomous variables are weak drivers and weak dependents and do not
have much influence on the system. The absence of any autonomous variables
(enablers) in this study indicates that all the considered enablers influence the
process of information risks mitigation in a supply chain and management
should pay attention to all the enablers.
.
Overall impact of information risks in a supply chain is dependent on individual
risks and their relative interdependencies. Thus, risk index represents the metric
that can be effectively used to quantify information risks in supply chains.

At a time when information is a key resource for operating the supply chains and
information risks and its mitigation ranks high on the agenda, this paper provides an
insight into the various aspects of information risks in a supply chain. The proposed
methodology serves as a guideline to the supply chain and information system
personnel to manage information risks effectively.

References
Abouzakhar, N.S. and Manson, G.A. (2002), “An intelligent approach to prevent distributed
systems attacks”, Information Management and Computer Security, Vol. 10 No. 5,
pp. 203-9.
Aven, T., Vinnem, J.E. and Wiencke, H.S. (2007), “A decision framework for risk management, Information risks
with application to the offshore oil and gas industry”, Reliability Engineering and System
Safety, Vol. 92, pp. 433-48. management
Bahli, B. and Rivard, S. (2005), “Validating measures of information technology outsourcing risk
factors”, Omega, Vol. 33 No. 2, pp. 175-87.
Barthélemy, J. (2003), “The hard and soft sides of IT outsourcing management”, European
Management Journal, Vol. 21 No. 5, pp. 539-48. 695
Bender, P.S. (2000), “Debunking five supply chain myths”, Supply Chain Management Review,
Vol. 4 No. 1, pp. 52-8.
Bertolini, M., Bevilacqua, M., Bottani, E. and Rizzi, A. (2004), “Requirements of an ERP enterprise
modeller for optimally managing the fashion industry supply chain”, Journal of Enterprise
Information Management, Vol. 17 No. 3, pp. 180-90.
Biehl, M. (2005), “Selecting internal and external supply chain functionality: the case of ERP
systems versus electronic marketplaces”, Journal of Enterprise Information Management,
Vol. 18 No. 4, pp. 441-57.
Bolaños, R., Fontela, E., Nenclares, A. and Pastor, P. (2005), “Using interpretive structural
modelling in strategic decision-making groups”, Management Decision, Vol. 43 No. 6,
pp. 877-95.
Brandyberry, A. and White, G.P. (1999), “Intermediate performance impacts of advanced
manufacturing technology systems: an empirical investigation”, Decision Sciences, Vol. 30
No. 4, pp. 993-1020.
Búrca, S-d., Fynes, B. and Marshall, D. (2005), “Strategic technology adoption: extending ERP
across the supply chain”, Journal of Enterprise Information Management, Vol. 18 No. 4,
pp. 427-40.
Cardinali, R. (1998), “If the system fails, who is liable?”, Logistics Information Management,
Vol. 11 No. 4, pp. 257-61.
Chen, W.K. (1997), Graph Theory and its Engineering Applications: Advanced Series in Electrical
and Computer Engineering, University of Illinois, Chicago, IL.
Chopra, S. and Sodhi, M.S. (2004), “Managing risk to avoid supply chain breakdown”, Sloan
Management Review, Vol. 46 No. 1, pp. 53-61.
Choy, K.L., Lee, W.B. and Lo, V. (2004), “An enterprise collaborative management system: a case
study of supplier relationship management”, Journal of Enterprise Information
Management, Vol. 17 No. 3, pp. 191-207.
Christopher, M. (2000), “The agile supply chain competing in volatile markets”, Industrial
Marketing Management, Vol. 29 No. 1, pp. 37-44.
Christopher, M. and Lee, H. (2004), “Mitigating supply chain risk through improved confidence”,
International Journal of Physical Distribution & Logistics Management, Vol. 34 No. 5,
pp. 388-96.
Collins, J. and Millen, R. (1995), “Information systems outsourcing by large American industrial
firms: choices and impacts”, Information Resources Management Journal, Vol. 8 No. 1,
pp. 5-13.
Cullen, S., Seddon, P.B. and Willcocks, L.P. (2005), “IT outsourcing configuration: research into
defining and designing outsourcing arrangements”, The Journal of Strategic Information
Systems, Vol. 14 No. 4, pp. 357-87.
Davenport, T.H. and Brooks, J.D. (2004), “The enterprise systems and the supply chain”, Journal
of Enterprise Information Management, Vol. 17 No. 1, pp. 8-19.
JEIM Dennis, M.J. and Kambil, A. (2003), “Service management: building profits after the sale”, Supply
Chain Management Review, Vol. 7 No. 1, pp. 42-8.
20,6
Earl, M.J. (1996), “The risks of outsourcing IT”, Sloan Management Review, Vol. 37 No. 3,
pp. 26-32.
Faisal, M.N., Banwet, D.K. and Shankar, R. (2006a), “Supply chain risk mitigation: modeling the
enablers”, Business Process Management Journal, Vol. 12 No. 4, pp. 535-52.
696 Faisal, M.N., Banwet, D.K. and Shankar, R. (2006b), “Mapping supply chains on risk and
customer sensitivity dimensions”, Industrial Management & Data Systems, Vol. 106 No. 6,
pp. 878-95.
Fiala, P. (2005), “Information sharing in supply chains”, Omega, Vol. 33 No. 5, pp. 419-23.
Fisher, M.L. (1997), “What is the right supply chain for your product?”, Harvard Business Review,
Vol. 75 No. 2, pp. 105-16.
Ford, R. and Ray, H. (2004), “Googling for gold: web crawlers, hacking and defence explained”,
Network Security, Vol. 2004 No. 1, pp. 10-13.
Ganguli, P. (2000), “Intellectual property rights: mothering innovations to markets”, World
Patent Information, Vol. 22 Nos 1/2, pp. 43-52.
Halchin, L.E. (2004), “Electronic government: government capability and terrorist resource”,
Government Information Quarterly, Vol. 21 No. 4, pp. 406-19.
Hallikas, J., Karvonen, I., Pulkkinen, U., Virolainen, V.M. and Tuominen, M. (2004), “Risk
management processes in supplier networks”, International Journal of Production
Economics, Vol. 90 No. 1, pp. 47-58.
Handfield, R.B. and Nichols, E.L. (1999), Introduction to Supply Chain Management,
Prentice-Hall, Upper Saddle River, NJ.
Harary, F. (1985), Graphs and Organizations, Wiley, New York, NY.
Harland, C., Brenchley, R. and Walker, H. (2003), “Risk in supply networks”, Journal of
Purchasing and Supply Management, Vol. 9 No. 2, pp. 51-62.
Hoyt, J. and Huq, F. (2000), “From arms-length to collaborative relationships in the supply chain”,
International Journal of Physical Distribution & Logistics Management, Vol. 30 No. 9,
pp. 750-64.
Irani, Z. (2002), “Information systems evaluation: navigating through the problem domain”,
Information & Management, Vol. 40 No. 1, pp. 11-24.
Irani, Z., Sharif, A., Love, P.E.D. and Kahraman, C. (2002), “Applying concepts of fuzzy cognitive
mapping to model: the IT/IS investment evaluation process”, International Journal of
Production Economics, Vol. 75 Nos 1/2, pp. 199-211.
Jense, J.B. and Gutin, G. (2000), Digraph Theory, Algorithms, and Organizations, Springer,
London.
Jharkharia, S. and Shankar, R. (2005), “IT enablement of supply chains: understanding the
barriers”, Journal of Enterprise Information Management, Vol. 18 No. 1, pp. 11-27.
Kern, T. and Willcocks, L. (2000), “Exploring information technology outsourcing relationships:
theory and practice”, The Journal of Strategic Information Systems, Vol. 9 No. 4, pp. 321-3.
Khalfan, A.M. (2004), “Information security considerations in IS/IT outsourcing projects: a
descriptive case study of two sector”, International Journal of Information Management,
Vol. 24 No. 1, pp. 29-42.
Kilpatrick, J. and Factor, R. (2000), “Logistics in Canada survey: tracking year 2000 supply chain
issues and trends”, Materials Management and Distribution, Vol. 45 No. 1, pp. 16-20.
Kirchmer, M.E. (2004), “E-business process networks – successful value chains through Information risks
standards”, Journal of Enterprise Information Management, Vol. 17 No. 1, pp. 20-30.
management
Kucera, K., Plaisent, M., Bernard, P. and Maguiraga, L. (2005), “An empirical investigation of the
prevalence of spyware in internet shareware and freeware distributions”, Journal of
Enterprise Information Management, Vol. 18 No. 6, pp. 697-708.
Lacity, M.C. and Hirschheim, L. (1993), “The information systems outsourcing bandwagon”,
Sloan Management Review, Vol. 35 No. 1, pp. 73-86. 697
Lee, H.L., Padmanabham, V. and Whang, S. (1997), “The bullwhip effect in supply chains”,
Sloan Management Review, Vol. 38 No. 3, pp. 93-102.
Lee, H.L., So, K.C. and Tang, C.S. (2000), “The value of information sharing in a two-level supply
chain”, Management Science, Vol. 46 No. 5, pp. 626-43.
Lewis, I. and Talalayevsky, A. (2004), “Improving the interorganizational supply chain through
optimization of information flows”, Journal of Enterprise Information Management, Vol. 17
No. 3, pp. 229-37.
Maguire, S. (2002), “Identifying risks during information system development: managing the
process”, Information Management & Computer Security, Vol. 10 No. 3, pp. 126-34.
Mandal, A. and Deshmukh, S.G. (1994), “Vendor selection using interpretive structural modeling
(ISM)”, International Journal of Operations & Production Management, Vol. 14 No. 6,
pp. 52-9.
Motwani, J., Madan, M. and Gunasekaran, A. (2000), “Information technology in managing global
supply chains”, Logistics Information Management, Vol. 13 No. 5, pp. 320-7.
Møller, C. and ERP, . II: (2005), “ERP II: a conceptual framework for next-generation enterprise
systems?”, Journal of Enterprise Information Management, Vol. 18 No. 4, pp. 483-97.
Norrman, A. and Jansson, U. (2004), “Ericsson’s proactive supply chain risk management
approach after a serious sub-supplier accident”, International Journal of Physical
Distribution & Logistics Management, Vol. 34 No. 5, pp. 434-56.
Rao, R.V. and Padmanabhan, K.K. (2006), “Selection, identification and comparison of industrial
robots using digraph and matrix methods”, Robotics and Computer-Integrated
Manufacturing, Vol. 22 No. 4, pp. 373-83.
Ravi, V., Shankar, R. and Tiwari, M.K. (2005), “Productivity improvement of a computer
hardware supply chain”, International Journal of Productivity and Performance
Management, Vol. 54 No. 4, pp. 239-55.
Ritchie, B. and Brindley, C. (2000), “Disintermediation, disintegration and risk in the SME global
supply chain”, Management Decision, Vol. 38 No. 8, pp. 575-83.
Sabki, A., Ahmed, P.K. and Hardaker, G. (2004), “The developing an e-commerce solution: a case
study of TimeXtra”, Journal of Enterprise Information Management, Vol. 17 No. 5,
pp. 388-401.
Sage, A.P. (1977), Interpretive Structural Modeling: Methodology for Large-scale Systems,
McGraw-Hill, New York, NY.
Schumacker, R.E. and Lomax, R.G. (1996), A Beginner’s Guide to Structural Equation Modeling,
Lawrence Erlbaum Associates, Pittsburgh, PA.
Sharif, A.M. and Irani, Z. (1999), “Research note: theoretical optimisation of IT/IS investments”,
Logistics Information Management, Vol. 12 Nos 1/2, pp. 189-96.
Shore, B. and Venkatachalam, A.R. (2003), “Evaluating the information sharing capabilities of
supply chain partners: a fuzzy logic model”, International Journal of Physical Distribution
& Logistics Management, Vol. 33 No. 9, pp. 804-24.
JEIM Simatupang, T.M. and Sridharan, R. (2004), “Benchmarking supply chain collaboration:
an empirical study”, Benchmarking: An International Journal, Vol. 11 No. 5, pp. 484-503.
20,6 Sinha, P.R., Whitman, L.E. and Malzahn, D. (2004), “Methodology to mitigate supplier risk in an
aerospace supply chain”, Supply Chain Management: An International Journal, Vol. 9 No. 2,
pp. 154-68.
Speckman, R.E. and Davis, E.W. (2004), “Risky business: expanding the discussion on risk and
698 the extended enterprise”, International Journal of Physical Distribution & Logistics
management, Vol. 34 No. 5, pp. 414-33.
Stockdale, R. and Standing, C. (2004), “Benefits and barriers of electronic marketplace
participation: an SME perspective”, Journal of Enterprise Information Management,
Vol. 17 No. 4, pp. 301-11.
Sutton, S.G. (2006), “Extended-enterprise systems’ impact on enterprise risk management”,
Journal of Enterprise Information Management, Vol. 19 No. 1, pp. 97-114.
Tang, C.S. (2006), “Perspectives in supply chain risk management”, International Journal of
Production Economics, Vol. 103 No. 2, pp. 451-88.
Walden, E.A. and Hoffman, J.J. (2007), “Organizational form, incentives and the management of
information technology: opening the black box of outsourcing”, Computers & Operations
Research, Vol. 34, pp. 3575-91.
Warfield, J.W. (1974), “Developing interconnected matrices in structural modeling”, IEEE
Transactions on Systems Men and Cybernetics, Vol. 4 No. 1, pp. 51-81.
Whipple, J.M., Frankel, R. and Daugherty, P.J. (2002), “Information support for alliances:
performance implications”, Journal of Business Logistics, Vol. 23 No. 2, pp. 67-81.
White, A., Daniel, E.M. and Mohdzain, M. (2005), “The role of emergent information technologies
and systems in enabling supply chain agility”, International Journal of Information
Management, Vol. 25 No. 5, pp. 396-410.
Willcocks, L.P., Lacity, M.C. and Kern, T. (1999), “Risk mitigation in IT outsourcing strategy
revisited: longitudinal case research at LISA”, The Journal of Strategic Information
Systems, Vol. 8 No. 3, pp. 285-314.
Yusuf, Y.Y., Gunasekaran, A., Adeleye, E.O. and Sivayoganathan, K. (2004), “Agile supply chain
capabilities: determinants of competitive objectives”, European Journal of Operational
Research, Vol. 159 No. 2, pp. 379-92.
Zhang, R. and Chen, K. (2005), “Improvements on the WTLS protocol to avoid denial of service
attacks”, Computers and Security, Vol. 24 No. 1, pp. 76-82.

About the authors

Mohd Nishat Faisal is currently National Doctoral Fellow at the Department of Management
Studies, Indian Institute of Technology Delhi, India. He is on a sabbatical from the Faculty of
Management Studies and Research, Aligarh Muslim University, Aligarh, India where he is a
senior lecturer with around twelve years of teaching and research experience. He is the first
recipient of National Doctoral Fellowship in the area of Management. His research interests are
in the area of supply chain management, small business management, management science and
information technology. His research papers have appeared in journals like Industrial
Management & Data Systems, Business Process Management Journal, Decision, Management
Review, Udyog Pragati, Abhigyan etc. Mohd Nishat Faisal is the corresponding author and can be
contacted at: [email protected]
D.K. Banwet is Dalmia Chair Professor and former head at the Department of Management
Studies, Indian Institute of Technology Delhi, India. He is also the Group chair (Operations
Management) and Coordinator of Applied Systems Research Programme at IIT, Delhi. His areas
of interest are production and operations management, management science, entrepreneurship Information risks
and technology management, general management/strategic management, project management,
supply chain management etc. He has published research papers in journals like The TQM management
Magazine, Journal of Educational Planning and Administration, Productivity, International
Journal of Productivity and Performance Management (formerly Work Study), Asian Academy of
Management Journal, Journal of Global Competitiveness, and Management Review.
Ravi Shankar is currently Associate Professor of Operations and Information Technology
management. He is Group Chair of Sectoral Management at the Department of Management 699
Studies at Indian Institute of Technology Delhi, India. He has nearly 23 years of teaching
experience. His areas of interest are supply chain management, knowledge management, flexible
manufacturing systems, TQM, etc. His publications have appeared in various journals including
the European Journal of Operational Research, International Journal of Production Research,
Computers and Industrial Engineering, International Journal of Production Economics,
Computers and Operations Research, International Journal of Supply Chain Management, etc.
He is the executive editor of Journal of Advances in Management Research.

To purchase reprints of this article please e-mail: [email protected]

Or visit our web site for further details: www.emeraldinsight.com/reprints