Every business faces risks, i.e. the probability of events occurring that can, or will, present challenges to their operations. Not every organisation is aware of the wide range of supply chain risks they might face and fail to carry out supplier risk analysis.
As a result, many do not have robust plans to deal the resulting disruption and the financial losses that will follow.
Managing risk means identifying what can go wrong in advance in your relationships with suppliers, and having a plan in place to deal with it. Failing to do this or being under-prepared will generate some unwelcome surprises.
Facing up to the possibility that adverse events may happen is the first step.
Risks range from supply interruptions, environmental and safety crises and information security breaches through to assaults on brand and reputation. These risks can all impact your business's reputation and cause significant financial issues.
Failure of a key supplier may be critical or even fatal to your business. To protect against the potential disasters we employ processes, methods and tools to identify each probability, and then we manage the ensuing risks.
What can go wrong?
The consequences of not managing procurement risk effectively can result in:
- Discontinuity in the supply of essential goods or services
- Poor supplier performance
- Key supplier financial failure or cash flow problems
- Avoidable cost increases in raw materials, services and project costs
- Product contamination and recall
- Critical technology failure or cyber attack
- Environmental pollution or safety incidents
- Legal non-compliance, regulatory lapses or supplier fraud
This is not an exhaustive list; there may be others that may occur within your supplier relationships. Can you identify them?
How do you manage supplier risk?
According to analysts at Spend Matters, many companies deal with risk on a piece-part basis. Spend Matters believe that this fragmented approach is the wrong one and that a holistic view is needed, backed by technology.
There are three main steps to developing a risk management plan, built around effective supplier risk analysis; Identify the risks, evaluate the risks and create a contingency plan. Let's take a look below.
1. Identify the risks
Is the risk high, medium or low? It requires a team effort to define the most critical risks. Ideally, a project or risk manager should help generate these ideas in both group and one-on-one settings, and then allocate ownership for individual risks.
2. Evaluate the risks
With every risk quantified, the team can evaluate which supplier risks need to be addressed and in how much detail. The decision on whether to accept the specific risk (carry the cost) or take action to prevent or minimise it depends on the organisation’s appetite for the risk. The cost of insuring the risk may be so high that it does not make financial sense.
3. Build a contingency plan
Developing actionable plans is the most important step. Alternative solutions for an adverse event should be created where relevant, according to priority, and include all the details necessary to actually take action. This could involve defining escalation procedures that your company must follow when an event occurs.
There are really only four ways of managing a risk: accept it, transfer it, reduce or eliminate it.
If we accept it, we may be able to insure it. However, some costs are uninsurable, such as the damage to a company's reputation.
How do you manage supplier compliance?
To minimise supplier risk and improve compliance, you need visibility into whether or not suppliers are working within regulations, fulfilling contract obligations and keeping their information up-to-date.
If you are managing your contracts manually, or your record-keeping is fragmented, it can be easy to lose sight of your suppliers’ compliance statuses.
1. Simplify document gathering with delegation
Improving supplier compliance means having thorough processes from the start of your relationship. By making document gathering mandatory ahead of onboarding, suppliers will need to provide you with their records before the relationship goes any further.
This protects your business from risk and non-compliance immediately, also saving time further down the line as you won’t need to chase for missing information or documentation. Delegating the information you need puts the onus on suppliers to be compliant and prove that they are doing so.
2. Centralise compliance documentation
If you don’t have sight over the status of supplier compliance, you increase the risk of your business being non-compliant too. Visibility relies on being able to easily access accurate, up-to-date information.
Centralising documentation in a secure repository gives you a single source of truth about the status of your suppliers. This will bring to light any certificates that are expiring, any data that needs updating or any gaps in your supplier information.
3. Continuously track supplier compliance
It’s not enough to simply centralise supplier information such as compliance certificate. If you put all documentation in one place and never look at it again, non-compliance can quickly occur without anyone knowing.
A failure to track supplier compliance can increase risk, disrupt your business, damage relationships and lead to legal action
Tracking your suppliers, whether it's their compliance status, their performance against agreed KPIs or whether or not they have met obligations, will help you stay one step ahead of compliance and risk.
Information and cyber risk
Supply chains are becoming increasingly dependent on information technology systems and software. There is a growing threat from cyber risk and an urgency to prioritise this, maybe even beyond some physical risks.
When reviewing trends for 2018, Spend Matters said that they believe it is important to highlight the rising interest (and need) for investment in supply risk relating to cyber security. They predict that a greater percentage of manufacturers are expected to suffer attacks in 2018.
KPMG recommends doing due diligence on key suppliers. This means researching each one, their reputation and linked companies. It also includes examining their IT security, invoicing, contact methods, system logins and access control.
This due diligence can take place before the supplier has even been onboarded and should continue throughout the length of your relationship with them.
Contract management software that provides integrated risk surveillance feeds can give you insights into risk scores, credit scores and the latest news about your suppliers."
MarketIQ from Gatekeeper not only gives you up-to-date information about your potential and current suppliers, it also provides you with daily alerts if anything changes in relation to ownership, legal issues or financial matters. Not only will this save you time from engaging with unsuitable suppliers, but it also helps you to make informed decisions about supplier consolidation where required.
See real-time risk data about your suppliers with MarketIQ
What are Supplier risk and Compliance management Best Practices?
- Have a clear view of your total third-party expenditure. Ensure that the data is accurate, reliable and up-to-date. For strategic suppliers, it is recommended that you gain insight into their reliance on their own vendors (your Tier 2). Understanding the relationships that exist between different tiers of suppliers allows you to assess the extent of any possible supply risk.
- Assess key suppliers by their risk level. With the highest risk vendors, site visits and procurement audits are essential. Ensuring compliance with specific laws and regulations around ethics, corporate social responsibility, health and safety and financial security is vital. Verify all information supplied and monitor it regularly. Research conducted by Achilles and IFF Research revealed that 43 percent of businesses are aware of a high-risk supplier failing to meet compliance requirements.
- Pre-qualify new suppliers. Establish your minimum requirements for compliance with laws and regulations in your industry and make these mandatory when selecting new vendors.
- Sole-source suppliers need special attention. Routine site visits are one of the most effective methods of not only identifying supply chain risk but also helping develop contingency plans. Any sole-source contract should have a plan B in place that can be activated with immediate effect.
- Centralise all information and keep tracking suppliers. You can't know what you don't know and if your supplier records are fragmented, hidden or missing, you won't be able to see the level of risks, including non-compliance, that they bring to your business. Centralisation and continua tracking allows you to always know what's going on in your
One hopes that there is at least a rudimentary risk management plan in place in all organisations. At the very least, you should be aware of the risks that are relevant to you, especially those that are based on availability and price.
Best practice in risk management is defined by continually monitoring and having contingency plans for each risk area.
For more best practice advice on vendor and supplier management, please read our related blog article. You can also read our case study to discover how Manpower UK worked with Gatekeeper to carry out due diligence on over 700 suppliers ahead of legislation changes.