In this article, we examine how external factors such as demand, security regulation, cyber risks, and relative performance influence supply chain risk management (SCRM) in young and mature small and medium-sized enterprises (SMEs) in Turkey. For this, we utilised fuzzy set qualitative comparative analysis (fsQCA) using data from 137 Turkish SMEs. Our results suggest a single significant path for explaining SCRM in young SMEs, while we found three significant paths for explaining SCRM in mature SMEs. Furthermore, the results indicate that demand risk is the only external factor for young SMEs to realise SCRM success. For mature SMEs, demand risk and/or relative performance are essential to explain SCRM performance. Based on our findings, we theoretically contribute by unravelling the pathways through which external factors influence SCRM performance. Moreover, practitioners could align their strategies towards these pathways when constructing a strategy for achieving SCRM performance.