Supply chain resilience development in the defence industry: an AI-assisted content analysis of annual reports Open Access

Building supply chain resilience (SCR) has become essential for managers and scholars alike, particularly following recent global disruptions that exposed vulnerabilities across diverse sectors (Sarkis, 2020). While much research examines SCR in commercial contexts, highly regulated, security-critical industries face unique tensions between efficiency and resilience that amplify both risks and consequences of failure. Understanding how organisations in such contexts build resilience over time offers insights for the broader supply chain management field.

Few industries exemplify these challenges as clearly as defence supply chains. Geopolitical tensions, cyberattacks and stringent regulatory oversight make them both highly vulnerable and strategically indispensable (Antai and Hellberg, 2024). The defence sector’s supply networks are shaped by government procurement practices and national security priorities, necessitating the management of unique threats such as logistical disruptions and global interdependencies. Furthermore, defence companies must navigate advanced technological requirements and tight regulatory controls (Antai and Hellberg, 2024). In this context, building SCR is critical for ensuring operational continuity and security.

Despite growing attention to SCR, empirical evidence on how firms develop and adapt resilience strategies across successive disruptions remains limited. Existing research has identified various mitigation strategies (Craighead et al., 2007; Spieske et al., 2022; Sudan et al., 2023), yet studies largely focus on isolated disruptions, offering limited insight into how strategies co-evolve with changing risk landscapes over extended periods. This temporal dimension is particularly critical in understanding how the interplay of different resilience strategies affects risk mitigation as disruption contexts shift. Moreover, little is known about how firms within defence supply networks communicate and manage these strategies over time, particularly under the dual pressures of national security requirements and global supply dependencies.

It is essential to understand how resilience strategies co-evolve with risk landscapes, advancing SCR from a reactive concept to a dynamic, adaptive capability (Ponomarov and Holcomb, 2009), to achieve more robust supply chain management theory development. In practice, illuminating evolutionary patterns provides actionable guidance for resource allocation and adaptation. The defence industry offers an ideal empirical setting for examining these dynamics: its combination of long-term contracts, stringent regulatory oversight and national security implications amplifies the consequences of supply chain failures (Bondeli and Havenvid, 2022).

This study examines how defence firms’ mitigation strategies co-evolve with changing risk landscapes across successive eras. Our focus is on how firms frame and communicate SCR through annual reports. These documents serve not only as regulatory disclosures but also as strategic narratives through which firms manage legitimacy and signal priorities in a politically sensitive industry. This perspective has become particularly salient in the light of recent geopolitical instability, growing technological interdependence among allied nations and tightening constraints on global sourcing.

We draw on Resource Dependence Theory (RDT) to conceptualise this SCR development. RDT emphasises that firms are embedded in networks of interdependence and must manage uncertainty arising from reliance on external actors (Hillman et al., 2009; Pfeffer and Salancik, 1978). This study focuses on two central mitigation strategies, buffering (creating internal capacity and redundancy to absorb disruptions) and bridging (external relationship management and coordination to navigate dependencies), to examine how firms reinforce SCR across disruptions (Manhart et al., 2020). We refer to the overall configuration and relative emphasis of bridging and buffering that a firm deploys in a given risk regime as mitigation posture. RDT’s emphasis on managing evolving dependencies makes it particularly suited to examining how firms reconfigure these strategies into distinct mitigation postures across successive disruption eras.

We adopt a longitudinal perspective spanning 2014–2024, capturing various supply chain risks and disruptions, including trade disputes, COVID-19 and the Ukraine war. We analyse annual reports from major defence companies with government contracts and complex supply chains as our primary data source. Individually, they capture firms’ reporting, planning and risk mitigation practices for a single year; when analysed across multiple years, they provide longitudinal insights into how practices evolve. To extract and structure this narrative data at scale, artificial intelligence (AI)-assisted content analysis was employed, using a large language model with human validation to systematically extract data across companies and years.

This research makes three contributions. First, we develop the Strategic Risk and Resilience Roadmap (S3R), an integrative framework that links supply-side, demand-side and internal risks with corresponding mitigation strategies over time. A majority of studies have instead focused on one single disruption, such as COVID-19 (Spieske et al., 2022). Second, we provide theoretical insights by applying RDT to show how defence firms shift between bridging-heavy, buffering-heavy and hybrid mitigation postures across three disruption eras, as changing resource dependencies reshape resilience priorities. These findings respond to calls for a systems perspective that emphasises strong relationships, adaptive mitigation and multi-level collaboration (Antai and Hellberg, 2024; Shekarian and Mellat Parast, 2021). Third, we demonstrate how AI-assisted content analysis can support longitudinal SCR research by analysing a multi-firm, multi-year corpus of annual reports and tracing temporal patterns in risk and mitigation disclosures. Generative AI is highly debated, and this study aims to understand how this methodology can be used for large-scale data extraction (Hayes, 2025).

The paper proceeds as follows. The theoretical section introduces three risk elements and corresponding mitigation strategies within an integrated SCR framework. The methodology outlines an AI-enhanced approach to qualitative content analysis. The results present core risk areas along with mitigation strategies for each dimension. The discussion interprets key theoretical insights and presents the S3R framework, including shifts in mitigation postures across disruption eras. Finally, the conclusion highlights academic and managerial implications, acknowledges limitations and suggests future research directions.

The defence sector includes organisations, agencies and industries involved in the development, production and maintenance of military equipment, infrastructure and services for national defence (Antai and Hellberg, 2024). Additionally, this study focuses on large publicly traded companies as key actors within the defence industry, where understanding how organisations manage supply-, demand- and internal risks to strengthen SCR is a critical concern. Risk is defined as the probability and potential impact of future events that could disrupt operations, while disruption refers to actual events that have already occurred and are currently affecting the supply chain’s ability to function normally (Lucas et al., 2024). The conceptual foundations of SCR trace back to Christopher and Peck’s (2004) seminal work, identifying four principles: re-engineering, collaboration, agility and risk management culture. Subsequent research has expanded this foundation, with Ponomarov and Holcomb (2009) emphasising adaptive capability, while Pettit et al. (2010) developed a comprehensive framework linking vulnerabilities and capabilities.

Early identification of supply-side failures, demand volatility and internal missteps is vital to sustaining agility and advantage (Sturm et al., 2022). Recent global upheavals have exposed the fragility of single-source and just-in-time configurations (cf. Bednarski et al., 2025; Ivanov and Dolgui, 2021; Ngoc et al., 2022). Accordingly, we treat risk management and SCR as inherently interconnected (cf. Jüttner and Maklan, 2011; Pettit et al., 2013). Guided by this premise, the risk landscape is structured into three domains: supply, demand and internal, each with distinct exposure and mitigation logic.

Supply-side risks encompass factors that hinder firms from meeting customer demand, representing the most extensively studied dimension of SCR (Choi and Krause, 2006). Defence industries face supply-side vulnerabilities because of their reliance on JIT pull-based systems and high proportions of foreign suppliers, creating amplified exposure to upstream disruptions (Antai and Hellberg, 2024). Research has identified diverse mitigation approaches, ranging from proactive strategies such as information sharing, redundancy and supplier development (Kähkönen and Patrucco, 2022; Pereira et al., 2014) to reactive responses including rapid collaboration and transport flexibility (Pereira et al., 2020). However, current research exhibits two key limitations. First, studies typically examine these strategies in isolation rather than investigating how firms systematically balance proactive and reactive approaches across different types of disruption. Second, while the importance of learning from disruption experiences is recognised. As Pereira et al. (2020, p. 2) emphasise:

Limited research examines how this learning shapes the evolution of supply-side strategy over time, particularly in defence contexts where geopolitical and regulatory risks create recurring yet varied challenges.

Demand-side risks present unique challenges that differentiate them from supply-side disruptions in SCR. These uncertainties impede firms’ ability to fulfil orders, manifesting as inaccurate forecasts, development delays, demand fluctuations and information asymmetries (Priem and Swink, 2012; Sturm et al., 2022). While commercial supply chains face relatively predictable demand patterns, defence supply chains encounter distinctive volatility – military equipment needs can change abruptly because of geopolitical developments, making accurate forecasting particularly challenging (Lucas et al., 2024; Ngoc et al., 2022). This volatility is further amplified by input-market volatility, product-market competition and regulatory shifts, while state budget cycles add contract-driven uncertainty (Antai and Hellberg, 2024; Shahbaz et al., 2019). However, research on how defence firms systematically manage these sector-specific demand uncertainties over time remains limited, particularly regarding the balance between reactive buffering and proactive bridging strategies in government-customer relationships.

Internal risks within organizational systems, processes and capabilities can fundamentally undermine resilience effectiveness (cf. Duchek, 2020). Internal resilience depends on an organisation’s ability to anticipate, cope with and adapt to disruptions (ibid.). Williams et al. (2017) identify financial, behavioural and relational resources as critical internal foundations, yet research on how these resources interact during crisis management remains fragmented. The defence context exemplifies the complexity of internal risk, where megaprojects frequently underperform because of optimistic forecasting, strategic misrepresentation, limited alternatives and governance weaknesses (Flyvbjerg, 2014). These projects’ long planning horizons, complex interfaces and high uncertainty create systematic tendencies towards cost overruns, delays and benefit shortfalls. While technological solutions, such as advanced procurement platforms and integrated project management systems, offer potential improvements in visibility and control (cf. Gustavsson, 2023), two critical areas remain underexplored. First, there is a limited understanding of how internal capabilities for anticipation, coping and adaptation develop and interact over time. Second, the relationship between internal risk management and external SCR strategies remains underexplored – particularly how internal capabilities enable or constrain firms’ choices between buffering and bridging approaches.

While internal capabilities form the foundations of resilience (Duchek, 2020; Williams et al., 2017), SCR fundamentally emerges from managing external dependencies and resource flows. RDT provides a theoretical lens for understanding these dynamics, as it explicitly addresses how organisations manage environmental uncertainties and resource constraints through strategic responses (Hillman et al., 2009). Unlike resource-based view approaches that focus on internal asset accumulation, RDT recognises that resilience often depends more on managing external relationships and dependencies than on internal resource stocks (Pfeffer and Salancik, 1978). This perspective is particularly relevant for defence supply chains, where firms depend heavily on government contracts, specialised suppliers and regulatory approvals; dependencies that create both vulnerabilities and opportunities for strategic response.

RDT emphasises managing external dependencies to secure key resources (Hillman et al., 2009), complementing the resource-based view’s focus on internal capabilities (Barney, 1991). Bode et al. (2011), building on RDT, distinguish between two broad resilience responses: buffering, which insulates firms by building slack (e.g. inventory redundancy, alternative transport routes, flexible designs) and bridging, which shapes the environment through closer collaboration and information sharing with partners. Kähkönen and Patrucco (2022) note that buffering and bridging can be either temporary or permanent, depending on whether a firm is strengthening existing ties or forming new ones. For instance, during the COVID-19 crisis, bridging proved especially effective in securing medical supplies through joint risk-sharing and co-innovation arrangements (Spieske et al., 2022). Research confirms that balancing buffering and bridging is essential for navigating environmental uncertainty (Manhart et al., 2020; Mishra et al., 2016). Bridging creates alliances that shape the external environment, while buffering builds slack to insulate core operations from volatility (Lynn, 2005). During the pandemic, both strategies were used to maintain resilience (Sarkar et al., 2022). Following RDT, dependence and power intensify when a resource is critical to operations and lacks readily available substitutes, giving the controlling actor leverage over the focal firm (Hillman and Hitt, 1999; Pfeffer and Salancik, 1978). To operationalise dependence in defence supply chains, four sensitising resource domains facilitate the diagnosis of the dominant constraint and shape buffering and bridging configurations: physical inputs and production capacity; human and knowledge; digital and information; and financial, market and institutional access.

First, firms depend on physical inputs and production capacity (e.g. material inputs and supplier capacity); they manage this dependence through mitigation, such as inventory and capacity or sourcing commitments and through contingency, such as contingent rerouting or volume reallocation to suppliers with flexible or reserved capacity (Tomlin, 2006). Second, firms depend on human and knowledge resources (e.g. scarce specialist labour and tacit know-how) that reside in individuals, which creates retention and value appropriation hazards when critical expertise becomes mobile or weakly codified (Coff, 1997; Grant, 1996). Third, firms depend on digital and information resources (e.g. shared information and digital infrastructures) that enable inter-organisational information exchange, visibility and coordination during disruption response (Bode et al., 2011; Scholten and Schilder, 2015). Fourth, firms depend on financial, market and institutional access, including working-capital conditions shaped by financial supply chain practices and nonmarket strategies required in regulated, government-facing environments (Hillman and Hitt, 1999; Wuttke et al., 2013).

To characterise the complex interplay between risks, mitigation strategies and SCR, this paper develops the S3R. It reflects that firms operating at a global level face diverse supply chain risks, which makes it essential to balance risk management with response strategies to build resilience against unplanned disruptions:

S3R (see Figure 1) classifies three key risk dimensions and draws on Jüttner and Maklan’s (2011) framing of supply chain risk management, which serves two goals: building resilience and reducing vulnerability. In S3R, vulnerability is folded into risk. Specifically, vulnerability reflects exposure and sensitivity that increase the likelihood and impact of disruption to the resources required for continuity. These resources are operationalised as physical inputs and production capacity, human and knowledge resources, digital and information resources and financial, market and institutional access.

Managing risk in S3R, therefore, inherently addresses vulnerability. SCR has been defined as: “[…] the adaptive capability of the supply chain to prepare for unexpected events, respond to disruptions and recover from them by maintaining continuity of operations at the desired level of connectedness and control over structure and function” (Ponomarov and Holcomb, 2009, p. 131).

S3R distinguishes three types of risks, supply, internal and demand. These risks are linked and analysed based on the dominant resource dependencies. Firms respond to this by using mitigation strategies such as buffering strategies (e.g. holding extra inventory) and bridging strategies (e.g. building stronger ties with partners). The framework highlights that these strategies are not mutually exclusive; rather, firms adapt the balance between them depending on the risk or disruption. In S3R, bridging and buffering are not applied uniformly; they are selected via posture selection rules that map disruption characteristics and the dominant resource dependence to buffering, bridging or a hybrid posture. Sudden, acute shocks are often best addressed with buffering (Lynn, 2005), while coordination or information-driven issues favour bridging (Bode et al., 2011; Mishra et al., 2016); on the other hand, persistent, multifaceted risks call for hybrid approaches (Spieske et al., 2022).

Importantly, the framework emphasises that SCR evolves gradually through learning and refinement. And we define SCR as a dynamic learning cycle of assessing and mitigating supply-, internal- and demand-side risks that, in turn, builds adaptive capability across the supply chain (Pereira et al., 2020; Ponomarov and Holcomb, 2009; Scholten et al., 2019). Where learning from past events informs risk assessment and helps refine the mix of buffering and bridging strategies, thereby improving risk management and reducing the impact of future disruptions (Scholten et al., 2019). Over time, these feedback loops yield enhanced SCR that is, “an increased capability to prepare for, resist, and rebound from disruption” (Ali and Gölgeci, 2019, p. 801).

The framework focuses on mitigation postures as the firm’s operative choice in a given risk regime. Supply, internal and demand risks shape the disruption context and surface dominant resource dependencies, which define the constraints under which firms can act. Firms then use posture selection rules to choose a mitigation posture, buffering-dominant, bridging-dominant or hybrid, which reflects how they configure buffering and bridging in practice. As outcomes accumulate, firms learn from each disruption and feed that learning back into refined risk assessment and refined posture selection rules; over successive eras, this repeated reassessment and reconfiguration support the gradual development of SCR.

To investigate the evolution of risk dimensions, mitigation strategies and SCR in the defence industry, this study uses a qualitative content analysis of annual reports from seven publicly listed defence companies: Saab, Leonardo, Rheinmetall, Lockheed Martin, Northrop Grumman, Dassault Aviation and BAE Systems, covering the period 2014–2024. By leveraging large language models (LLMs), we were able to process the large volumes of report text and thereby develop insights regarding how companies describe the inherently complex concept of SCR. The overarching goal is to identify and categorise different types of supply-chain risks and understand the mitigation strategies that build resilience. Below, we outline the stages of using AI to support the research endeavour.

To situate the unit of analysis within its industrial context, Figure 2 illustrates a generic defence supply chain, highlighting how raw materials, components and subsystems flow upstream from suppliers to prime contractors, where they are progressively integrated into larger systems. Downstream, government procurement agencies manage contracting, requirements and budget allocation before systems are delivered to end customers, who are responsible for deployment, sustainment and operation. Figure 2 captures the reciprocal flows of materials, systems and capabilities on the one hand and money, requirements and oversight on the other, underscoring the interdependence between industry and government in transforming resources into military capability.

AI refers to the use of machines to mimic human intelligence (Christou, 2023, p. 1968) or, more specifically, a system’s ability to interpret data, learn from it and adapt to achieve specific goals (Kaplan and Haenlein, 2019, p. 15). While its academic origins trace back to the 1950s, AI experienced limited practical application until advances in computing power spurred its current widespread usage (Haenlein and Kaplan, 2019). ChatGPT, introduced in 2022, is described by Kalla et al. (2023, p. 827) as “a revolutionary technology that uses advanced AI to generate natural language responses to a given prompt or input.” Its ability to process large corpora of text, coupled with language generation capabilities, makes it relevant for business research (Hassani and Silva, 2023). Generative AI systems raise novel considerations for academia, including policy development, concerns over AI-assisted writing and enforcement challenges (Hu, 2024). LLMs have the potential to contribute to qualitative research, and one domain where they are already making significant contributions is thematic analysis (Zhang et al., 2023). In a supply chain risk identification benchmark that compared five LLMs across providers, Zhao et al. (2025) note that GPT-4o variants achieved the highest proportions of expert-validated risk identifications with low false identification rates in their data set, while also noting occasional inaccuracies and the importance of expert oversight.

When using generative AI it is essential to recognise challenges such as hallucination (inaccurate or fabricated content), quality of data (inconsistent, biased or incomplete), lack of explainability (the opaque nature of AI decision‐making processes), authenticity (lack of verifiable originality or subject to manipulation) and prompt engineering (careful, iterative refinement to harness AI capabilities) (Fui-Hoon Nah et al., 2023). Despite these challenges, AI’s ability to efficiently analyse large text documents, such as annual reports, can significantly streamline research, complementing human efforts (cf. Haenlein and Kaplan, 2019; Kaplan and Haenlein, 2019). Prompt engineering plays a crucial role in the effective use of AI. According to Giray (2023, pp. 2629–2630), prompt engineering: “[…] refers to the practice of developing and optimizing prompts to effectively utilize large language models […]” A prompt has several key elements: Instruction (directing the model towards the desired output), Context (external information providing background knowledge to enhance accuracy), Input Data (core information for processing) and Output Indicator (response format specification) (cf. Giray, 2023). Prompt patterns are structured templates that standardise these elements (White et al., 2023). Regardless of how prompts are designed, AI can still omit critical details.

The annual reports were downloaded, and we used AI-assisted content analysis to extract risk and mitigation disclosures. Initial prompts that embedded risk definitions produced largely definitional outputs rather than report-specific disclosures. Aligned with Hassani and Silva (2023), we adopted more open-ended instructions, which led ChatGPT to capture more relevant content. To mitigate errors, we manually verified page-referenced outputs against the original documents.

We used a two-stage extraction procedure. One, we conducted an exploratory pilot extraction of a subset of annual reports to identify the recurring risk themes reported by firms across internal, supply and demand domains. We reviewed the pilot outputs and consolidated them into a stable set of risk constructs, which served as the coding framework for Table 1. Two, we re-ran the extraction across the full corpus using this fixed framework, applying structured prompts for each risk theme to retrieve the relevant disclosure, including page number(s) and short supporting excerpts. For each year and firm, the prompts generated outputs that we manually sorted into internal, supply-side and demand-side risk files for subsequent synthesis, and the verified firm-level presence or absence coding was aggregated into the tallies reported in Table 1. Following extraction and sorting, we conducted a cross-firm synthesis to examine how risks and mitigation strategies evolved across eras.

To compile risk dimensions for each company, a custom prompt instructed ChatGPT to focus on factual ^[1] data on various supply chain risks and their corresponding responses. The prompt elements included:

• Instruction: factual data extraction on supply chain risk.

• Context: supply-side, demand-side and internal risks.

• Input data: The annual reports.

• Output indicator: provide factual statements; cite page numbers in parentheses.

We started with highly prescriptive prompts that echoed our risk definitions. Switching to more open-ended wording produced more accurate extractions with fewer hallucinations. Quality improved when we supplied one annual report at a time, rather than in batches. Some reports failed to yield richer year-specific details despite repeated requests; therefore, we cross-checked the outputs against the originals and issued targeted follow-up prompts. For instance, we explicitly asked about the 2020 pandemic when a company’s report omitted it, thereby producing the missing data.

We conducted a cross-firm synthesis to examine how risks and mitigation strategies evolved across eras. ChatGPT’s Deep Research model was subsequently used with an overarching prompt: “Analyse Saab, BAE Systems, Leonardo, Lockheed Martin, Northrop Grumman, Dassault Aviation, and Rheinmetall (2014–2024) using the provided documents to examine the evolution of internal, demand, and supply risks, their mitigation through buffering and bridging strategies and the development of SCR. Focus on factual data, categorise risks, summarise insights in a table, with time-series analysis or graphs if relevant.”

The evolution of risk management strategies was tracked, highlighting major disruptions and each firm’s mitigation responses. All outputs were validated by human review, particularly where statements were ambiguous or references were missing. Analysis was conducted by the author with the aid of AI models o3-mini-high, o4-mini-high and Deep Research; the latter two yielded the strongest performance. Gemini Advanced 2.0 (Flash) and Gemini 2.0 Pro (Experimental) were also used, although the ChatGPT models demonstrated the highest accuracy (cf. Zhao et al., 2025).

Given the challenges associated with AI-based analysis, the study treated reliability and validity as intertwined with trustworthiness (cf. Golafshani, 2003). The design strengthened trustworthiness through triangulation, combining a standardised prompting protocol, iterative verification and manual cross-checking.

An iterative extraction process was conducted on a subset of reports to refine the prompts, whereby various prompts and definitions were evaluated to extract relevant data. We used ChatGPT to confirm that a high-level summary accurately reflected the main points and to surface additional context from the full annual reports, thereby validating subsequent extractions. Discrepancies were resolved through consensus discussions.

The research team processed all annual reports with a standardised prompt set during the initial extraction round to derive comparable factual data on the three risk elements, explicitly capturing both risk exposures and mitigation factors across firms and themes. This standardisation aimed to stabilise outputs at the point of first-pass extraction, before any firm-level verification or tallying. Prompt refinement used iterative extraction on a subset of reports. The researchers tested alternative prompt wordings and theme definitions, then used ChatGPT to check whether each high-level summary captured the report’s main points and to surface relevant context from the underlying text, including both risk statements and mitigation descriptions. The workflow treated these outputs as provisional drafts that guided follow-up queries and manual checks, rather than as evidentiary claims. Consensus discussions resolved discrepancies.

To make the reliability base explicit, the study validated the risk-theme tallies that later appear as company counts in Table 1 at the firm level. For each theme and firm, the procedure determined presence or absence by locating and verifying a traceable disclosure in the annual report. When a theme used stable terminology, such as cybersecurity, targeted keyword searches located candidate disclosures. When a theme required more conceptual interpretation, structured prompts in ChatGPT identified potentially relevant passages and returned page numbers with short verbatim quotes. The prompting step also required a brief rationale and a plausible counter-reading. Verification required a verbatim match on the cited page, which a team member confirmed and logged with the page reference.

This verification gate applied to all 35 risk-theme entries in Table 1 across seven firms, producing 245 firm-level presence-or-absence decisions (35 × 7). Keyword search and AI prompting functioned mainly as navigation tools, while the reported (x/7) counts reflect manually validated themes. This approach aligns with Hayes (2025), which frames LLM use as a three-way conversation between researcher, data and model, where the latter supports exploration and retrieval while the researcher designs the inquiry and tests outputs through critical examination against the source text. Robustness checks across model releases occurred at two main points. First, the research team reran the AI-assisted extraction and report-level summary checks with GPT 5.0 several months after the initial run to test. Second, the research team executed the firm-level verification and tallying procedure in ChatGPT 5.2 (December, 2025) and used those validated codings to generate the company counts reported in Table 1.

ChatGPT reduces the labour of manual coding, but it remains susceptible to inaccuracies, particularly for specialised or ambiguous queries (Hassani and Silva, 2023). Despite verification measures, AI may overlook subtle corporate nuances in annual reports. Relying exclusively on annual reports could also omit broader macro-level trends or undisclosed internal data. ChatGPT’s ability to process data depends on its training updates, the specific model used and inherent token limits, the fundamental unit of text. Because annual reports often exceed 200 pages, they must typically be analysed separately, as different models handle varying numbers of tokens. Moreover, ChatGPT’s accuracy is influenced by the quality of its training data, the clarity of the input and the complexity of the task (Hassani and Silva, 2023). Consequently, human oversight remains essential to ensure information integrity. It is also important to note that, for extraction and analytical purposes, human knowledge and verification are crucial. Prompt engineering may be the most important topic for scholars to learn more about, further increasing the possibilities at hand. For researchers, it is also a fast way to fill knowledge gaps if prompting is done correctly.

Moreover, although ChatGPT’s capacity to distil core themes from large amounts of text (Zhang et al., 2023), the research process unveiled several methodological concerns that researchers must take into consideration when using AI-based methodologies to assess qualitative data. First, the model can overlook less prominent details or nuances unless precisely prompted, and its answers are shaped by how questions are framed. Second, ChatGPT does not verify its completeness or accuracy beyond providing plausible responses, nor does it consistently flag contradictions or missing information. Third, it lacks a built-in citation mechanism or source documentation, limiting transparency. Still, it can be concluded that if the goal is to identify major trends, ChatGPT can be highly effective when coupled with the researcher’s contribution of careful reading, cross-referencing and domain expertise, which remain indispensable to ensure that details are neither lost nor misrepresented. With the right validation, ChatGPT can serve as a valuable starting point for extracting and initial analysis. To guide scholars, a step-by-step model is introduced to facilitate the use of AI in research.

Building on the challenges of data extraction and verification, the Integrated AI-Enhanced Qualitative Analysis (Figure 3) model provides a framework streamlining qualitative research by combining AI-assisted data extraction with systematic human oversight.

The steps in the processual model (Figure 3) are the following:

• Prepare research: Data collection and standardisation involve gathering all relevant documents and formatting them for consistency and compatibility.

• Prompt engineering: Entails designing and refining prompts – specifying task focus, context, input data and desired outputs – through iterative testing.

• AI service evaluation: Assesses candidate LLMs for consistency, detail, reliability and alignment with research objectives.

• Pilot testing: Applies prompts in controlled settings to evaluate effectiveness and inform refinements. This stage benefits from familiarity with the data, established by reading an initial subset of reports (12 reports in full in this study).

• Human verification: Cross-checks AI-surfaced excerpts against the original annual reports at the cited page location, logs verbatim passages and page references and resolves discrepancies through collaborative discussion.

• AI data extraction: Executes the refined prompts at scale to identify key themes and variables.

• Data synthesis and analysis: Organises the validated data into thematic categories, tables and graphical visualisations, either AI-assisted or manual, to reveal patterns and trends.

• Documentation and triangulation: Enhances the reliability and validity of the findings.

This processual model captures our approach to extracting data from annual reports and how AI contributes to data synthesis and analysis. Leveraging AI to reduce the manual burden of coding large data sets, combined with continuous prompt refinement and rigorous human oversight, allows this framework to be tailored to diverse document types beyond annual reports. Zhang et al. (2023, p. 1) outline a similar approach. Figure 3 provides an overview of the workflow for applying AI to qualitative analysis endeavours.

To capture substantive patterns rather than incidental year-to-year variation, annual reports were grouped into three disruption eras: a Baseline period (2014–2019) reflecting relative stability, the Pandemic era (2020–2021) representing an exceptional short-term shock and an Emerging Risk era (2022–2024) characterised by structural changes following renewed geopolitical tensions and inflationary pressures.

The analysis is presented across the three disruption eras identified: the Baseline period (2014–2019), the Pandemic era (2020–2021) and the Emerging Risk era (2022–2024). While the Baseline era was marked by relative stability, the Pandemic period introduced acute operational and supply chain disruptions and the Emerging Risk era reflected sustained turbulence driven by the war in Ukraine, inflation and persistent geopolitical uncertainty. Across all periods, companies relied on established enterprise risk frameworks for reporting,, to maintain consistent risk identification and disclosure (cf. Prewett and Terry, 2018).

During the baseline era, defence firms built foundational risk-management capabilities while running lean buffers alongside mature bridging. Supply-side actions included supplier qualification and monitoring, selective second sourcing and long-term agreements for critical materials; demand exposure to budget cycles was tempered by broad portfolios and sizeable backlogs; internally, firms strengthened cybersecurity, unified digital platforms and invested in skills and governance. In short, bridging dominated but was deliberately complemented by light, targeted buffers.

The pandemic era impacted defence companies. Lockdowns, labour shortages and logistics bottlenecks have stressed supply chains, so buffers such as health and safety protocols, remote work arrangements, alternating shifts, inventory management and expedited procurement have been highlighted to sustain production. In parallel, they deepened their collaboration with critical suppliers and customers through early payments, shared forecasts and schedules, real-time issue resolution and joint recovery and qualification plans, while using digital collaboration to keep engineering and support running. Backlogs in core defence programmes provided demand stability even as civil aviation exposure slumped and firms worked with government customers to secure continuity of funding and prioritise deliveries. Close collaboration with governments and tier suppliers was crucial in maintaining continuity when logistics and labour constraints were most severe.

During the emerging risk era, pandemic pressures eased, but firms confronted persistent semiconductor constraints, sanctions and export controls linked to the war in Ukraine, broad inflation and higher energy costs. In response, they expanded and diversified supplier networks, qualified secondary sources, increased local sourcing and secured long-term agreements, while complementing these bridges with capacity and inventory buffers supported by real-time monitoring for early warning. Companies also advanced new and re-anchored partnerships to stabilise critical inputs and align with policy. From 2022, long-horizon, state-backed frameworks and advance-payment structures increasingly underwrite supplier capital expenditure and stabilise throughput, formalising bridging while enabling firms to scale buffering (inventory and capacity) on bottleneck inputs. Examples include Rheinmetall’s dual sourcing, safety stocks, energy hedging and additional munitions capacity; BAE’s reliance on a large order backlog together with integrated supplier programmes to sustain deliveries; and Lockheed Martin’s transition to alternate suppliers after the removal of Turkish firms from the F-35 supply base, accompanied by strengthened oversight and risk governance of the extended enterprise. Dassault likewise reports chronic post-COVID supply shortages and cost pressures that required close coordination across the supply chain. Taken together, these actions reflect a hybrid strategy that combines robust internal buffers with strong bridges to suppliers and government customers to manage persistent geopolitical and macroeconomic uncertainty. Table 1 illustrates supply chain risks across eras.

Throughout the baseline era, defence firms leaned towards bridging to mitigate internal, supply and demand risks. Bridging strategies involve forming connections with the external environment to secure resources, such as partnerships, alliances or diversification of suppliers or markets. Buffering strategies involve insulating from external shocks (e.g. building slack resources, inventories, internal capacities) (cf. Mishra et al., 2016).

In the baseline era, firms describe that they tended to lean towards bridging. Annual reports often highlighted supplier-facing moves such as oversight and development, performance reviews and audits and structured collaboration, alongside teaming and offsets, joint ventures and wider industry cooperation. Companies also described formal engagement with authorities and key customers through structured liaison and long-term relationships to help secure programmes and smooth execution. Buffering was present but was usually framed as hygiene: safety stocks and inventory buffers for critical inputs; insurance and hedging against discrete shocks; anti-counterfeit controls and compliance systems and long-term material agreements to stabilise flow. Overall, the narrative appeared to centre more on building and leveraging interorganisational ties, including supplier development, teaming and offsets and engagement with regulators and customers, while using targeted buffers where exposure seemed known, such as inventory cushions, insurance and hedging and multi-year supply arrangements.

COVID-19 emerged in an era of operational adaptation, with many more descriptions about buffering. Internally, firms communicated on remote work protocols, health and safety measures and streamlined processes to buffer against workforce disruptions and ensure continuity. At the same time, digital transformation was central, including the deployment of cloud-based collaboration and virtual product development to bridge functions across geographies. On the supply-side, companies’ traditional buffering measures (e.g. stockpiling essential inputs and diversifying suppliers via “second sourcing”) are complemented by bridging actions, such as deepening ties through joint risk-sharing arrangements, accelerated supplier payments, developing digital supplier ecosystems and pursuing co-innovation initiatives. Customer engagement included long-term contractual commitments for stability, alongside co-development initiatives and virtual support programmes, to maintain business as usual despite physical distancing.

As geopolitical tensions intensify, firms have increasingly described that they have adopted a hybrid approach that blends buffering and bridging strategies in response to rising uncertainty. Internally, research and development investments, automation, digitalisation and workforce expansion served as buffers. Internal bridging mechanisms, cross-functional data platforms, agile new operating models and integrated risk-management structures are emphasised. In supply chains, long-term, primarily domestic partnerships and capacity expansions serve as a cushion against disruptions, while strategic alliances and joint ventures embed supplier innovation into operations. Regarding the demand side, robust multi-year order backlogs provide financial stability and co-development programmes (e.g. next-generation platforms) create close, reciprocal linkages that align product roadmaps with evolving defence needs.

Across the three eras, the disclosures indicate not only a shift in mitigation posture (bridging, buffering and their combination) but also a shift in which resource dependencies firms reported as most constraining. In the baseline era, firms emphasised programme continuity through customer engagement, compliance and long-horizon contracting, suggesting greater salience of relational and institutional access. During the pandemic era, reported constraints centred more on physical inputs, capacity and workforce continuity, coinciding with increased buffering alongside intensified bridging for visibility and coordination. In the emerging-risk era, persistent supplier constraints and ramp-up pressures coincided with an integrated posture that combines buffering and bridging. Table 2 summarises buffering and bridging strategies across internal, customer and supplier dimensions and reports the dominant resource dependencies (1 = most dominant) across the four S3R resource categories.

The empirical patterns illustrate S3R’s posture selection dynamics and provide indications of refinement. Buffering appeared to dominate in acute shocks, while bridging was more common in coordination-driven issues. Under conditions of protracted uncertainty, firms increasingly combined the two, suggesting that hybrid postures may represent more than an intermediate stage and could be viewed as a posture that blends redundancy with long-term relational investment.

This section discusses the core premise of S3R that bridging and buffering are contingent upon the type of disruption and suggests possible refinements. We use the term posture to describe the overall configuration of mitigation strategies (i.e. bridging and buffering) adopted in response to different contingencies.

The analysis demonstrates that bridging and buffering strategies in defence supply chains are not static but evolve dynamically in response to shifting risk environments. This adaptive pattern reflects how organisations adjust to environmental jolts and restore fit over time (Küffner et al., 2022). The discussion can be clustered around three postures: collaboration in the baseline era, protective redundancy during the pandemic and a hybrid posture in the emerging-risk era, with a notable role-reversal of primary risk post-2022 – supplier constraints become dominant, while customer exposure shifts from budget uncertainty to delivery performance.

Resource dependencies change across eras, driving shifts in mitigation posture. Table 2 shows that different resources become dominant in each era, and the disclosures indicate that firms adjust the mix of bridging and buffering to manage that specific dependence. In the baseline era, firms most often foreground financial, market and institutional access, such as funding continuity, contract stability and regulatory compliance, so they lean towards bridging actions that stabilise those dependencies through customer engagement, long-horizon agreements and institutional coordination. During the pandemic, physical input, capacity and human continuity became the dominant constraints, so firms intensified buffering through inventories, resequencing and workforce protection, while using targeted bridging to restore visibility and recover supplier throughput. In the emerging-risk era, persistent bottlenecks in physical inputs coincide with renewed salience of institutional access (export controls, sanctions and state-backed ramp-up frameworks), which pulls firms towards a hybrid posture that couples buffering (capacity and stockpiles) with bridging (long-term supplier agreements, localisation partnerships and closer government alignment). By linking posture shifts to the changing identity of the constrained resource, the analysis makes the RDT mechanism explicit: firms adapt mitigation posture as they manage the dependence that most threatens continuity in a given disruption era.

During the relatively stable baseline period, firms relied on relational leverage to manage uncertainty. This posture resonates with the principles of RDT, which suggests that organisations actively build external connections to secure resources and reduce dependence (Bode et al., 2011). In this era, the dominant emphasis was on bridging: firms invested in long-term supplier and customer relationships, co-development programmes and internal cross-functional integration. These measures enabled firms to manage moderate uncertainty by leveraging inter-organisational linkages and internal knowledge-sharing mechanisms. Buffers such as order backlogs and selected inventories were maintained but played a supporting role. This posture aligns with Lynn’s (2005) observation that when an organisation’s “requisite variety” is sufficient, only minimal additional safeguards are required. The strategic orientation aligns with Mishra et al. (2016), who describe it as a prospector type, where deep ties and light buffers coexist to facilitate growth and innovation.

The COVID-19 pandemic constituted a severe environmental jolt in which existing relational strategies proved insufficient. Uncertainty outpaced firms’ requisite variety (Lynn, 2005), forcing a rapid shift towards buffering. In this stage, firms enacted emergency measures, prioritising health and safety protocols, remote working systems and the use of inventories to absorb supply disruptions. Such defensive buffering reflects the absorbing capability, where organisations draw upon slack resources to withstand shocks (Kähkönen and Patrucco, 2022). At the same time, bridging actions were not abandoned, but took more ad hoc forms. Companies deepened collaboration with critical suppliers through accelerated payments, joint recovery planning and digital coordination platforms to sustain programme continuity. Nevertheless, the dominant strategic logic was insulation and protection, consistent with Lynn’s (2005) emphasis on buffering as a safeguard under high uncertainty. This phase mirrors the “initial” and “temporary” response waves in purchasing and supply management identified by Küffner et al. (2022), in which emergency buffers and short-term bridging mechanisms stabilise operations during the height of disruption.

As pandemic pressures receded but new risks emerged, ranging from semiconductor shortages to war-related sanctions and inflation, firms moved towards a hybrid posture that combined bridging and buffering. This dual approach demonstrates that resilience requires complementarity between redundancy and collaboration (Spieske et al., 2022). On the buffering side, firms expanded and diversified supplier networks, increased local sourcing and built inventory and capacity reserves supported by real-time monitoring. In parallel, bridging remained central: defence companies strengthened alliances, pursued long-term contracts and engaged in risk-sharing arrangements with governments and suppliers. These actions reflect what Mishra et al. (2016) characterise as an analyser strategy, in which bridging and buffering are deliberately integrated to reinforce one another. This posture also illustrates how organisations build new requisite variety by investing in digital tools and risk governance, enabling them to manage persistent uncertainty without relying solely on costly buffers (Lynn, 2005).

The findings suggest that defence companies cycle through adaptive mixes of bridging and buffering depending on environmental conditions. In stable periods, they pursue lean supply chains, minimal buffers and strong relational leverage. When disruptions strike, they respond swiftly with buffering measures such as inventory drawdowns, capacity slack and alternate sourcing, alongside ad hoc bridging actions to secure continuity. As disruptions persist, firms then rebalance towards integrated approaches, scaling down buffers once digital monitoring and collaborative arrangements provide new safeguards. This cyclical pattern refines RDT by embedding organisational learning and temporal dynamics into dependence management (Lynn, 2005; Bode et al., 2011). It also echoes Antai and Hellberg’s (2024) observation that overreliance on just-in-time logistics and global suppliers exposed firms to shocks, motivating them to recalibrate their strategies when disruptions unfolded.

A key contribution of this study is the identification and categorisation of bridging and buffering strategies as distinct but complementary building blocks of SCR. Bridging strategies involved strengthening ties with external stakeholders, such as offering financial and technical support to suppliers during the pandemic or pursuing multinational joint development programmes (Spieske et al., 2022; Kähkönen and Patrucco, 2022). Buffering strategies, by contrast, insulated operations through stockpiling, multi-sourcing, capacity slack and long-term contracts. This distinction is critical: while bridging strategies often deliver more effective short-term relief during acute shortages (Gebhardt et al., 2022; Spieske et al., 2022), firms that combine these measures with buffers such as inventories and order backlogs achieve superior resilience (Kalaitzi et al., 2019). The analysis shows that low-bridging/low-buffering postures were absent, confirming Lynn’s (2005) argument that such positions are only sustainable in environments of very low uncertainty.

Bednarski et al. (2025) identify supply chain redesign and technology adoption as central responses to geopolitical disruptions. Our findings suggest these themes gain additional nuance in the defence sector: redesign appears iterative rather than static, unfolding across shifts from bridging to buffering and ultimately hybrid approaches. Technologies, meanwhile, act less as stand-alone drivers of SCR and more as contingent mechanisms that reinforce either bridging or buffering. The defence setting further indicates that procurement regimes and national security imperatives condition how such strategies are pursued.

The evolution of bridging and buffering strategies also demonstrates resilience as a path-dependent process (Greener, 2002). Firms with prior exposure to smaller disruptions in the 2010s were better prepared to respond quickly to the systemic shock of the pandemic. This indicates that resilience capabilities accumulate incrementally over time and are shaped by organisational memory and learning. The adaptive cycles observed here enrich RDT by showing that dependence management is not only relational but also temporal, unfolding across sequences of disruption and adaptation. In this way, resilience emerges not as a static attribute but as an ongoing, processual adjustment embedded within complex inter-organisational networks (Bondeli and Havenvid, 2022).

This study primarily contributes to the domain theory of SCR (Christopher and Peck, 2004; Ponomarov and Holcomb, 2009; Pettit et al., 2010), by conceptualising how defence firms shift between bridging-heavy, buffering-heavy and hybrid postures across disruption eras. Resilience is shown to be path dependent and processual, evolving through phases rather than remaining a static attribute (Scholten et al., 2019). Using RDT, we explain how firms adjust between bridging and buffering as environmental uncertainty changes (Pfeffer and Salancik, 1978; Hillman et al., 2009; Mishra et al., 2016; Kähkönen and Patrucco, 2022). We further demonstrate that hybrid postures can become institutionalised rather than remaining temporary mixes, consistent with recent evidence on the complementarity of buffering and bridging strategies (Spieske et al., 2022; Kalaitzi et al., 2019). This extends RDT by embedding temporal and processual dynamics into how firms manage resource dependencies and external relationships, revealing resilience as a capability that accumulates through organisational learning across disruptions. In doing so, the study also highlights the distinct features of supply-side resilience in defence supply chains, a context that remains comparatively underexplored (Lucas et al., 2024). Finally, by showing how bridging and buffering unfold across inter-organisational networks rather than solely at the firm level, the paper answers the call for more network-oriented and time-phased theorising (Bondeli and Havenvid, 2022; Manhart et al., 2020).

These findings extend RDT in SCR by showing that dependence management is not only relational but also temporal: resource constraints shift across disruption eras, and that shift re-orders the postures (bridging, buffering and hybrid).

The S3R framework (Figure 1) provides managers with a structured tool for diagnosing and mitigating supply chain risks. Categorising risks and linking them to specific bridging and buffering strategies enables decision-makers to allocate resources and prioritise interventions. The findings indicate that SCR is strongest when firms combine mitigation strategies rather than rely on a single approach.

For practice, three implications follow. First, managers should actively monitor which posture their firm currently occupies, i.e. bridging-heavy, buffering-heavy or hybrid and adjust strategies as the risk climate evolves. Second, investments in digital monitoring and risk governance should be prioritised, as these reduce reliance on costly physical buffers while enhancing collaboration. Third, long-term partnerships with both suppliers and government customers should be treated not only as transactional arrangements but as resilience enablers that stabilise demand and safeguard critical inputs. In this way, managers can proactively shape resilience rather than merely reacting to disruptions as they occur.

This study contributes to the methodological debate in supply chain management research by demonstrating how LLMs can be systematically incorporated into qualitative content analysis of annual reports, particularly in coding and theme extraction. As AI capabilities continue to evolve and are likely to play an increasingly significant role in research, it becomes essential to begin unveiling their methodological possibilities. This study represents an early step in that broader exploration. The proposed Integrated AI-Enhanced Qualitative Analysis model combines prompt engineering, pilot testing and structured human verification to address challenges such as fabricated outputs, inconsistency and incomplete extraction.

By reducing coding effort while preserving analytical rigour, the study provides a replicable framework for scholars working with extensive textual data sets. It further advances debates on digital research tools by illustrating how AI complements, rather than replaces, human analysis, enhancing both efficiency and depth when carefully governed.

The study also offers practical insights into AI-assisted research design. It shows that open-ended, context-sensitive prompts and report-level processing yield more accurate outputs than prescriptive definitions or bulk analysis, while triangulation with source documents and external events is essential for validity. Further, we have experienced that LLMs develop rapidly, meaning that these tools will be more powerful for this type of research in the future. These lessons provide a foundation for future SCM research to critically and constructively engage with AI-enabled methodologies and their implications for both theory and practice.

This study analysed how defence firms report their resilience strategies, which reflects how they want to be perceived in markets and society. Annual reports can indicate whether resilience is framed as short-term crisis fixes or as an enduring capability supported by recurring investments and formal routines and how these develop over time. They cannot verify day-to-day execution, which calls for further in-depth case studies. This means that future work should explore how reported strategies align with actual practices.

First, bridging and buffering strategies deserve closer scrutiny in light of shifting geopolitical dependencies and regionalisation trends and how firms counteract resource dependencies to strengthen their power position. For example, will defence firms increasingly maintain distinct, regionalised supply networks and what long-term costs or lock-ins might such choices create for SCR?

Second, applying a dynamic capabilities framework (Teece et al., 1997), could illustrate how primes portray the internal capability-building that underpins their responses: how they sense external disruptions and policy shifts, seize responses through committed investments and programmes and reconfigure structures and routines to embed collaboration and targeted buffering over time.

Third, further studies could focus on issues that can either be managed from a company perspective or where changes in industrial policy strategies are required. Policy implications can focus on the four defined resource dependencies (as depicted in Figure 1). The question is how to balance what is the responsibility of companies alone and what is the societal responsibility. For example, to understand industrial strategy, we need to investigate:

1. governmental support for ensuring physical inputs and production capacity;

2. the development of knowledge and innovation strategies;

3. how cybersecurity strategies should be implemented and developed; and

4. finally, how to assure access to financial markets, funding and the level of private versus public risk sharing.