Every business faces risks, i.e. the probability of events occurring that can, or will, present challenges to their operations. Not every organisation is aware of the wide range of supply chain risks they might face.
As a result, many do not have robust plans to deal the resulting disruption and the financial losses that will follow.
Managing risk means identifying what can go wrong in advance in your relationships with vendors, and having a plan in place to deal with it. Failing to do this or being under-prepared will generate some unwelcome surprises.
Facing up to the possibility that adverse events may happen is the first step.
Risks range from supply interruptions, environmental and safety crises and information security breaches through to assaults on brand and reputation.
Failure of a key vendor may be critical or even fatal to your business. To protect against the potential disasters we employ processes, methods and tools to identify each probability, and then we manage the ensuing risks.
What can go wrong?
The consequences of not managing procurement risk effectively can result in:
- Discontinuity in the supply of essential goods or services,
- Key vendor financial failure or cash flow problems
- Avoidable cost increases in raw materials, services and project costs
- Product contamination and recall
- Critical technology failure or cyber attack
- Environmental pollution or safety incidents
- Legal non-compliance, regulatory lapses or vendor fraud
This is not an exhaustive list; there may be others that may occur within your vendor relationships. Can you identify them?
Risk management Planning
According to analysts at Spend Matters, many organizations deal with risk on a piece-part basis. Spend Matters believe that this fragmented approach is the wrong one and that a holistic view is needed, backed by technology.
There are three main steps to developing a risk management plan:
1. Identify the risks
Is the risk high, medium or low? It requires a team effort to define the most critical risks. Ideally, a project or risk manager should help generate these ideas in both group and one-on-one settings, and then allocate ownership for individual risks.
2. Evaluate the risks
With every risk quantified, the team can evaluate which vendor risks need to be addressed and in how much detail. The decision on whether to accept the specific risk (carry the cost) or take action to prevent or minimise it depends on the organisation’s appetite for the risk. The cost of insuring the risk may be so high that it does not make financial sense.
3. Build a contingency plan
Developing actionable plans is the most important step. Alternative solutions for an adverse event should be created where relevant, according to priority, and include all the details necessary to actually take action. This could involve defining escalation procedures that your company must follow when an event occurs.
There are really only four ways of managing a risk: accept it, transfer it, reduce or eliminate it.
If we accept it, we may be able to insure it. However, some costs are uninsurable, such as the damage to a company's reputation.
Information and cyber risk
Supply chains are becoming increasingly dependent on information technology systems and software. There is a growing threat from cyber risk and an urgency to prioritise this, maybe even beyond some physical risks.
When reviewing trends for 2018, Spend Matters said that they believe it is important to highlight the rising interest (and need) for investment in supply risk relating to cyber security. They predict that a greater percentage of manufacturers are expected to suffer attacks in 2018.
KPMG recommends doing due diligence on key vendors. This means researching each vendor, their reputation and linked organisations. It also includes examining their IT security, invoicing, contact methods, system logins and access control.
Practical tips to manage vendor risk
- Have a clear view of your total third-party expenditure. Ensure that the data is accurate, reliable and up-to-date. For strategic vendors, it is recommended that you gain insight into their reliance on their own vendors (your Tier 2). Understanding the relationships that exist between different tiers of suppliers allows you to assess the extent of any possible supply risk.
- Assess key vendors by their risk level. With the highest risk vendors, site visits and procurement audits are essential. Ensuring compliance with specific laws and regulations around ethics, corporate social responsibility, health and safety and financial security is vital. Verify all information supplied and monitor it regularly. Research conducted by Achilles and IFF Research revealed that 43 percent of businesses are aware of a high-risk supplier failing to meet compliance requirements.
- Pre-qualify new vendors. Establish your minimum requirements for compliance with laws and regulations in your industry and make these mandatory when selecting new vendors.
- Sole-source vendors need special attention. Routine site visits are one of the most effective methods of not only identifying supply chain risk but also helping develop contingency plans. Any sole-source contract should have a plan B in place that can be activated with immediate effect.
One hopes that there is at least a rudimentary risk management plan in place in all organisations. At the very least, you should be aware of the risks that are relevant to you, especially those that are based on availability and price.
Best practice in risk management is defined by continually monitoring and having contingency plans for each risk area.
For more best practice advice on vendor management in 2018, please read our related blog article.