Phases and tools for supply chain risk management: a systematic literature review

e4227. https://doi.org/10.1590/0104-530X4227-20 Abstract: Supply chain risk management (SCRM) has been widely discussed in the academic literature and several models have been proposed in recent years, but there is a need for a model encompassing phases and tools for SCRM. This study presents a systematic literature review (SLR) of 254 abstracts and 68 full-text papers. The SLR made it possible to identify and define the main phases for the SCRM, as well as the tools proposed for each phase. There is a concentration of efforts in the phases of identification, assessment, and selection of risk management strategies and a limited number of studies in monitoring and controlling risks. The article offers a global SCRM framework, contributing to the theoretical discussions and a practical guide to implementation related

As a result, these disturbances may cause an interruption in the flow of goods, services, money and/or information in the supply chain and consequently hinder its performance (Pfohl et al., 2010), justifying the reason for which supply chain risk management (SCRM) has become an important topic of study (Elleuch et al., 2014;Fahimnia et al., 2015;Hachicha & Elmsalmi, 2014;Tang & Nurmaya Musa, 2011;Thun & Hoenig, 2011).
This paper seeks to contribute to reducing the gap presented here, adopting an approach based on systematic literature review. A systematic review goes beyond the mere revision or compilation of previous studies. It consists of an objective, transparent and reproducible methodology to select, analyze and synthesize data that answer specific research questions, allowing for the clear identification of what is known or unknown of a given subject (Denyer and Tranfield, 2009, p. 671). It follows strict and pre-established protocols for document revision, offering a clear track so that obtained results are audited in a scientific manner (Tranfield et al., 2003). It has been adopted in various fields, such as medicine (Higgins & Green, 2008), social sciences (Campbell Collaboration, 2014), management (Denyer & Tranfield, 2009) and increasingly in the areas of operations management and industrial engineering (Thomé et al., 2016). For Torraco (2005), systematic reviews function to provide a classification or taxonomy of topics of interest of a given subject, present and describe the relationship between these topics through conceptual frameworks. In addition, the reviews allow for the identification of breaches or less explored aspects, providing a research agenda. Finally, it allows for conceptual contributions through meta-theories or the combination of new approaches in existing theories. This paper offers a systematic literature review based on pre-established protocol, aiming to provide a typology, framework and research agenda on the tools used in the various phases of SCRM. This article seeks to answer two research questions: (i) what are the main phases suggested in the literature for SCRM and (ii) what are the main tools used for each phase. In this regard, the state of the art will be verified and analyzed with respect to SCRM frameworks and their main phases and tools. As a result, a global framework is proposed, relating the main tools to each phase with the purpose of facilitating the practice of risk management implementation in supply chains. This paper's main conceptual contribution consists of the elaboration of a practical guide for the selection of tools adapted to the different SCRM phases through a framework relating phases and tools and suggestions for future research on the subject.

Methodology
A systematic literature review was conducted based on Thomé et al. (2016) following eight steps: (i) planning and formulating the problem, (ii) searching the databases, (iii) data gathering, (iv) data quality evaluation, (v) data analysis, (vi) interpretation of results, (vii) presenting results, and (viii) updating previous reviews.
For the first step, the need for the systematic review was identified, the research team was constituted, and the review scope was defined, in accordance with recommendations from Cooper (1988), covering the aspects of focus, goal, perspective, coverage, and audience. The focus was in the methods and tools of SCRM, with the goal of identifying its central aspects, under a scientific perspective, representing the coverage of SCRM in operations management and industrial engineering, for a public of scholars and supply chain managers. In this step, the research protocol was equally established.
For the second step of the systematic approach, the databases were selected and keywords for the database queries were defined. Moreover, inclusion and exclusion criteria were established based on the inspection of titles and abstracts of selected documents, as well as the complete examination of articles used in the synthesis and data analysis steps. A search through the documents' citations and through articles that cited the selected documents completed the database document selection. During this process, agreement verifications were performed by at least two reviewers and discrepancies were analyzed with the participation of a third author.
The search and selection of documents were based on Thomé et al. (2014Thomé et al. ( , 2012. The databases selected were EMERALD, SCIENCE DIRECT, SPRINGER, TAYLOR & FRANCIS, and WILEY, because they concentrate the main publications on SCRM. For the sake of enriching the paper, grey literature was included in the literature review. For this purpose, searches were conducted in conferences relevant to the area (e.g., EUROMA, ENEGEP, POMS, and ANPET). Keywords used to perform searches in these databases were: (("SUPPLY CHAIN RISK" AND "FRAMEWORK") OR ("SUPPLY CHAIN RISK" AND "MODEL")). These keywords were adapted to each database's search engine. The search was concentrated on document title, abstract, and keywords, with no restrictions regarding publication dates. Selected keywords were comprehensive in order to avoid artificially limiting the search field and specific enough as to avoid undesirable results (Cooper, 2010;Thomé et al., 2014). In other words, the initial search words were defined as to balance what Petticrew & Roberts (2006, p. 81) call sensitivity (attainment of all relevant documents) and specificity (disregard of irrelevant documents), which is consistent with the coverage sought in the scope of the review.
The search returned 259 documents and all abstracts were examined by at least two authors. Before initiating the review process, exclusion criteria were defined (Cooper, 2010;Thomé et al., 2016). They were: • Documents that do not analyze supply chain risk management; • Documents that address supply chain risk management superficially, that is, it is not the paper's main subject.
Following the exclusion criteria, 157 documents were eliminated during the first round. A second round was executed in order to solve disagreements, that is, articles that were excluded by only one of the authors. Although the percentage of agreement based on Krippendorf's alpha (Krippendorff, 2004;Neuendorf, 2002) was considered satisfactory (87.8%), all disagreements were discussed aiming to achieve 100% agreement. For this purpose, documents, where disagreements took place, were fully examined and during the second round, 15 of these articles were eliminated, following the same exclusion criteria from the first round. After the first and second round, 87 documents remained.
For the third step of the systematic review, following protocol specified in Thomé et al. (2016), data were collected in an analytical spreadsheet with the identified categories for the classification of phases and SCRM tools.
After all, 87 documents were fully examined, 17 were eliminated and the percentage of agreement between authors reached a Krippendorf's alpha of 92%. Once again, disagreements were handled and two more documents were eliminated, thus leaving 68 documents in the sample.   The fourth step in the protocol consists of the evaluation of the quality of primary studies included in the analysis. Aiming to identify the quality of selected studies, the first author's h-index was verified for documents with most citations, because this index considers the number of papers with citations ≤ h and can be understood as the author's influence in his research field (Hirsch, 2005). According to Thomé et al. (2016), in order to identify key authors in a research subject, the number of publications must be supported by a measure of the impact of their publications, which is measured by the h-index in this article. Table 1 presents the number of articles published by these authors, the author's percentage of citations in relation to the total number of citations of the 68 documents in the sample and the author's h-index. Table 1 indicates the authors with up to 80% of the total number of citations in the sample, ordered by decreasing number of citations. Analyzing Table 1, it is possible to determine that a correlation between the number of publications and the influence factor exists, once in most cases authors with a high number of publications have a greater h-index.
Therefore, one may say the sample is representative of the researched subject, once the authors presented in Table 1 are widely cited and the h-index has demonstrated their influence in the addressed research field.
The data analysis and synthesis steps, corresponding to step 5 of the systematic review methodology, are presented in Section 3 (phases) and 4 (tools).
Step 6 of the review protocol is presented in Section 5. This paper presents the results, consisting of step 7 of the systematic review methodology.
Step 8 of the protocol, update of previous literature reviews on the same subject, is outside the scope of this study.

Phases of supply chain risk management
After analyzing all 68 articles, the seven phases of SCRM were listed and defined. They are context analysis, risk identification, risk evaluation, strategy selection for risk treatment, strategy implementation, control, and monitoring.
Context analysis consists of the definition of the issue to be managed. This analysis involves understanding what are the main actors of the supply chain, their roles and responsibilities, who is responsible for what, and what measures have already been implemented (Harland et al., 2003). Only actors that may potentially present substantial losses for themselves or another member of the chain or even yet the chain as a whole should be contemplated in the risk management process (Harland et al., 2003). From the context analysis, the scope of the risk management process can be developed, delimiting members that should be taken under consideration and their responsibilities within the supply chain (Cucchiella & Gastaldi, 2006;Oehmen et al., 2009). Once the scope is defined, the next phase begins: risk identification.
After the selected strategy is implemented, it must also be controlled, verifying its efficiency with respect to the prioritized and treated risk. Therefore, the control phase's purpose is to evaluate the progress obtained through the implemented strategy and establish possible corrective actions in case there are any deviations and/or the strategy does not fulfill the expected goal (Giannakis & Papadopoulos, 2016;Kern et al., 2012;Oehmen et al., 2009;Tummala & Schoenherr, 2011).
Because the supply chain's structure and operations change regularly, new risks may emerge; confirming the importance of the monitoring phase (Kern et al., 2012).
Monitoring consists of supervising the chain in order to detect new risks, identify tendencies, probabilities and impacts (Elleuch et al., 2014;Kern et al., 2012;Oehmen et al., 2009;Pujawan & Geraldin, 2009;Tummala & Schoenherr, 2011;Tuncel & Alpan, 2010). Monitoring allows for the identification of the need to rerun the process of supply chain risk management, this phase reinitiates the process of risk management, acting on emerging risks. Manuj & Mentzer (2008a) stress the cyclic behavior of SCRM. Despite the importance of monitoring (Kern et al., 2012), the literature does not present sufficient explanations about this phase (Ho et al., 2015).
It is worth noting that during the control phase, the strategy is evaluated in regard to its result before the risk to be treated. In the monitoring phase, behavior and tendencies are observed, with the purpose of anticipating new risks. Figure 3 presents the percentage, within the 68 selected documents, that considers each phase as part of SCRM.  Figure 3 and Table 2 emphasize the concentration of academic literature in three specific phases: risk identification, risk evaluation, and strategy selection for risk treatment. Context analysis, monitoring, and control are poorly explored phases.

Results from
Analyzing the authors' approaches to SCRM, it is possible to notice that only Oehmen et al. (2009) and Tummala & Schoenherr (2011) present SCRM contemplating all seven phases presented in this study. Most authors (69%) discussed SCRM contemplating only the phases of identification and risk analysis.

Phases
Authors that cite the phase

Tools for SCRM
Through a full-text examination of the 68 sample documents, it was possible to identify the main tools proposed by the articles for each SCRM phase. Not all articles presented tools as shown in Figure 4. Observing Figure 4, a concentration of academic literature efforts in presenting tools for the risk identification and evaluation phases can be noticed once again, where the number of tools found for each phase is presented in Figure 5. The next paragraphs present the main tools proposed for each phase of SCRM. Tools that were cited the most and with at least two citations were considered in the analysis.
The only proposed tool for the risk control phase was updating risk information. This tool consists of updating information for the prioritized risk, verifying the efficiency of the implemented treatment strategy (Tummala & Schoenherr, 2011).
No tool was proposed for the risk monitoring phase. Contrary to expectations, no author cites the use of KPI as a possible tool for this phase.
A research gap is observed after document analysis regarding the phases of strategy implementation for risk treatment, control, and monitoring, since they were insufficiently explored in the literature with respect to practical implementations.

Compilation of results from scrm phases and their tools
The goal of this section is to summarize the information collected regarding the phases and tools for SCRM. The data gathered concerning the tools for each phase of supply chain risk management show that the use of certain tools is not exclusive to a single phase. Table 3 presents the different tools proposed by the sample documents and their application in the SCRM phases. The tools presented in Table 2 are applied with different goals to each phase. Even though expert opinion, for example, is present in different phases, the role of the specialist changes as the supply chain risk management process moves forward. It is also possible to observe tools with multiple steps, where each step meets the purpose of a phase, such as the ISM proposed by Diabat et al. (2012), Faisal et al. (2006, Hachicha & Elmsalmi (2014), Pfohl et al. (2011) andVenkatesh et al. (2015).
Based on the phases and tools gathered, a global framework for supply chain risk management, represented in Figure 8, can be proposed, where the phases for SCRM and their tools are highlighted. It can be observed from Figure 8 that the literature presents "expert opinion" as a common tool for most phases, this is partly due to the fact that many chains still do not have a mature SCRM model. Therefore, the starting point for risk management becomes the experience of those involved in the processes that comprise chain management. The absence of documented information and structured tools should not prevent SCRM, once the expertise of those involved in the process could be used until new tools may be added to SCRM.
The framework represented by Figure 8 suggests an implementation guide for SCRM, the tools were numbered in order of necessity, as to facilitate their use. Exemplifying, so that the scope of the chain where the risk will be managed can be defined, the starting point may be an issue experimented by a focal business. From there, members of the chain considered critical to the issue are identified, allowing for the definition of first layer suppliers. When reporting the problem to first-tier suppliers, these may identify that other suppliers could be included (second-tier suppliers, in relation to the focal business), and so on. A similar approach is presented in Ceryno et al. (2015) for scope definition in SCRM. Once the critical suppliers for a given problem are defined, the studied chain may be mapped. For risk identification, in case information to support this phase is insufficient, a literature review could be performed regarding chains of similar fields, in an attempt to raise the main issues approached in the literature. This survey may be used as an initial list to be validated and/or complemented by specialists, that may be stimulated to include new risks through tools such as brainstorm. During risk evaluation, when probabilities, impacts and subsequent prioritization are defined, expert opinion may once again be used in several ways, for example through tools such as AHP, FMEA, DELPHI and simulation.
Regarding the selection of strategy to be implemented, expert opinion may assist decision making. Naturally, in chains where SCRM is more mature, this tool should be combined with more sophisticated ones, such as a cost-benefit analysis, AHP, and ISM. Once the strategy is implemented, it should be monitored regarding its efficiency. Although the literature does not present tools for this phase, the use of performance indicators related to the desired performance of the chain regarding the treated risk is suggested as a way of identifying deviations with respect to what was planned. The same applies to the monitoring phase since the chain must be constantly evaluated so that new risks may be identified. The use of KPI for this phase is justifiable, once activities related to SCRM are only valid if the identified risks interfere with the supply chain's performance (Wagner & Bode, 2008). The importance of using KPI in supply chains as a way of overseeing the gap between what is planned and what is executed as to identify potential issues and improvement areas has already been previously addressed, for example, in Wagner & Bode (2008) and Chae (2009). Studies such as Neely et al. (1997) and Beamon (1999) may suit as a foundation for the definition of indicators and their implementation, focusing on supporting the SCRM process.

Conclusions
The growing interest in supply chain risk management was identified through a search in academic databases, focusing on the different phases and tools presented by the literature. Seven phases were identified, and it was possible to determine the existence of a research gap concerning the last three phases (implementation of risk treatment strategy, control, and monitoring). The low number of articles that treat these phases as well as the limited number of tools presented to address them confirms the gap. The gap observed in this paper corroborates findings from Ho et al., (2015).
An important aspect examined in this research concerns the goals of the control and monitoring phases, as they were treated as synonyms by the literature. Therefore, there is no consensus regarding these phases' definitions and goals (e.g. Kern et al., 2012;Giannakis & Papadopoulos, 2016). This study sought to remedy this gap, since it presents the role of each SCRM phase and their goals.
The main tools for SCRM where presented in this study, where another research gap was observed: the lack of theoretical and practical studies regarding the phases of implementation of risk treatment strategy, control and monitoring, justifying the low number of proposed tools or even their absence for these phases, corroborating König & Spinler (2016), who point to the lack of SCRM global practical applications.
Since identification and evaluation of risks are the most studied phases, the elevated number of tools found in the academic literature for these phases in comparison to the rest is not surprising. The use of simulation is strongly emphasized for the risk evaluation phase, although some articles present it equally as the chosen option for the identification phase.
This study takes the first step in the elaboration of a global implementation guide for SCRM, once it highlights the phases that compose supply chain risk management and the tools that enable their application as its main result. Provides important contributions to the application and research in SCRM.
This study contributes to SCRM in an important manner, in six main aspects. First, it offers a taxonomy that allows for the classification of the phases and proper tools for each phase of risk management in the SC. Second, presents which tools should be used in which phases of SCRM in a structured manner. Third, offers a framework for SCRM, constituting a new and practical guide for SCRM implementation. Fourth, raises the use of KPIs in SCRM, highlighting their relevance and in which management phases they should be used. Fifth, by indicating least studied phases and least used tools, opens new avenues for future research, emphasizing the need for new tools applied above all to the phases of implementation, control and monitoring. Finally, and consistent with what is proposed in recent literature in operations management (e.g., Torraco, 2005;Denyer & Tranfield, 2009;Fahimnia et al., 2015;Thomé et al., 2016), this study evidences the potential use of systematic literature reviews as a supply chain risk management confrontation tool, offering a taxonomy, a framework and a future agenda for useful research for the academy and for the practice of supply chain risk management.