The importance of cataloguing supplier risk

To function as a going concern, every organisation needs to obtain a wide range of products and services from its suppliers. While timely and accurate delivery of an order is both a reasonable organisational expectation and a normal supplier objective, it can’t be guaranteed. Uncertainty is to blame, and as history has shown repeatedly, it takes no prisoners.

Uncertainty takes form as risk, a future probability that will only occur if all the necessary conditions line up. Many of those conditions can’t be determined in advance, but only become evident in retrospect.

Repeated exposure to risk can provide insights that help reduce uncertainty through improved prediction of the applicable conditions. Sometimes, near enough is good enough.

While supply disruption risk is just a fact of life, it’s also the case that an organisation’s suppliers are increasingly sources of other types of risk that can affect it. With countless causes and consequences of all these supplier risks, getting a handle on those with the most impact on the organisation and figuring out how to deal with them really is just good practice.

Maintaining compliant practices

In fact, in many industries and many jurisdictions, it already is, or soon will be, mandatory practice. New regulations are increasingly being enacted. Many regulators dealing with particularly sensitive industry sectors are taking steps to ensure relevant organisations are aware of and can deal with their supplier risks.

The regulatory aims can range from minimisation of disruption to an organisation’s critical business operations, to making organisations responsible for certain sins of their suppliers.

Non-compliance is self-harming.

Key to this practice is development, use and maintenance of a supplier risk catalogue to itemise and categorise the potentially most-impactful risks facing the organisation. It should also cover the typical causes and factors influencing these risks, and the mitigating actions designed to eliminate, minimise or deal with their occurrence.

Of course, not all supplier-related risk can be anticipated or mitigated, but upfront consideration and preparation can relieve some of the pressure of dealing with it if and when it occurs.

What you need to know about cataloguing supplier risk

This article describes an approach to revealing the broad nature of supplier risk, how to deal with it generically and then specifically for each individual key supplier when warranted, plus how to catalogue all the details for rapid access when needed.

The main activities include:

• Identifying the common generic supplier risks whose occurrence would likely have the most impact on the organisation, and their typical causes and influencing factors
• Developing broad-brush mitigations for the generic supplier risks, for use as a guide for dealing with their occurrence as specifically expected risks
• Discovering the supply chain risks associated with at least the organisation’s important suppliers
• Identifying key risks that each of the organisation’s important suppliers might incur
• Developing specific mitigations for each important supplier’s key risks
• Preparing an approach for dealing with unforeseen supplier risk
• Implementing a cataloguing mechanism for recording and maintaining details of both key generic and the assessed individual supplier risks plus their associated mitigation approaches, and how to handle unforeseen risk.

Identify the most impactful generic supplier risks

Every organisation could at some stage be subject to a mix of common supplier risks with the potential for serious impact.

Some of the usual suspects of most concern include:

• Disrupted supply, where delivery of products or services by a supplier is incomplete, incorrect, late or missing
• Unauthorised access to, or theft, misuse, modification or deletion of, the organisation’s information held by or made available to a supplier
• Unauthorised access to the organisation’s IT systems via a supplier’s IT systems by its own people or unknown outsiders
• A supplier’s non-compliance with applicable regulations, contract obligations or agreed processes
• A supplier’s lack of authority over any subcontractors’ activities relating to delivery of the organisation’s orders or general behaviour affecting delivery
• Inflexible, unfavourable or unchangeable terms in a supplier’s contract that limit the organisation’s or the supplier’s ability to cope with change.

All such risks need to be identified. Doubtless there will be other types that an organisation could be, or has already been, severely impacted by, so as many as possible need to be revealed.

To allow mitigations to be developed for these risks, it’s important that typical causes for each one are identified. For example, some causes of supply disruption can include:

• Direct supplier insolvent or in financial difficulties
• Interrupted supply to the direct supplier from its own suppliers
• Transport disruption overseas or locally
• Workforce disruption at the supplier’s operational locations
• Operational difficulties with the supplier’s IT systems or production sites
• Natural hazards and workplace disasters
• Economic and political instability

Develop generic mitigations for the generic supplier-related risks

A generic mitigation for any consequential supplier risk will ideally consist of several high-level options. These would take into account how the risk could commonly be triggered, how its occurrence might affect the organisation, in what areas, and the reasons for that effect.

Mitigation options should cover both preventive and remedial measures. Both need to be realistically achievable with minimal fuss, and not introduce undesirable secondary effects."

Various factors that could influence a risk’s occurrence or its impact might not be, or need to be, individually treated if higher-order measures can effectively deal with them.

Consider the case of a potential or actual non-delivery of an important order, where the mitigation options might include:

• Investigating if an extended delay can be accommodated by the organisation and the limits of that delay, and finding out if the supplier can deliver the order within that extended period
• Determining if any alternative products and services could be viable substitutes that are readily available from the supplier
• Maintaining a list of alternative suppliers of the desired products and services or their near equivalents, and placing an urgent order with the supplier who can deliver soonest
• Providing some sort of practical assistance to the supplier that might help to alleviate the problems causing the delivery delay, such as pre-payment or some kind of cash injection, or arranging and paying for shipping or other logistical matters
• Slowly increasing on-hand inventory of critical items to provide buffer stock for minimising the effects of delivery problems with orders for such items
• Behaving properly with suppliers at all times and treating them as the valuable resource that they are, to achieve favoured-customer status which could help ensure priority attention when needed.

The factors influencing which mitigation options are most viable in this case include the underlying causes of the supplier’s delay and the feasibility of avoiding or minimising them, the criticality of the delivery date and the feasibility of extension, and the availability of alternative products and services or suppliers.

When considering which generic mitigations might be applicable to certain situations, all such influencing factors need to be uncovered and noted as qualifiers for the use of such mitigations.

Discover supply chain risks associated with important suppliers

For an organisation to get what it needs from its suppliers by when it needs it can be complicated. Just like the organisation, those suppliers can depend on their own suppliers to deliver orders correctly and on time, and so on down the chain of suppliers to some ultimate origin.

Anything can happen to any one or more suppliers in the supply chain associated with any of the organisation’s direct suppliers. This can affect a direct supplier’s ability to deliver whatever it was that the organisation ordered.

Operationally speaking, the supply chain associated with an organisation’s direct supplier can be all but invisible when it really shouldn’t be. Such a situation represents unnecessary and avoidable risk to the organisation.

Increasing globalisation has increased supply chain length, and just-in-time delivery can have severe knock-on effects across the chain when not-in-time delivery occurs. Both aspects are causing pause-for-thought due to the ripple effect, with resiliency now in the spotlight.

The organisation’s supplier qualification and selection practices, where they exist, should require candidates to provide the necessary supply chain details as a key aspect for consideration. Once selected, suppliers should be obliged to regularly provide updated supply chain and applicable regulatory compliance details.

Of particular interest is how a direct supplier identifies and deals with risk from not only its own suppliers, but recursively down the chain of suppliers for as far as is feasible. Note that the further down the chain, the lower the likelihood that the desired information will be available or forthcoming.

Given the growing importance of the availability of supply chain details, an ecosystem of third-party firms has evolved to capture, manipulate and provide the required information."

Armed with whatever supply chain details can be delivered to the organisation from its direct suppliers, details of the risks of dealing with at least the most important of those suppliers can be extracted and categorised.

Important suppliers can be categorised in any number of ways, such as:

• They handle or have access to highly sensitive organisational or personal information
• They provide business critical services to or on behalf of the organisation
• They provide products and services to regulated industries and must operate in compliance with certain regulations
• They are the sole or only really viable local supplier of specific products and services required by the organisation
• The organisation spends more than a specified amount with them annually
• The organisation is their largest customer.

Identify key risks associated with important suppliers

In common with other suppliers, an organisation’s important suppliers will be subject to some or all of the identified generic risks. Other risks may be somewhat common across most of them or restricted to just a few.

These risks fall into five general categories:

1. Cybersecurity, where technological weaknesses are leveraged to disrupt operations or steal / disclose sensitive data
2. Economic, such as a general recession affecting cashflow, supplier insolvency, or a workforce stoppage over pay
3. Environmental, covering natural or manmade disasters, and unsustainable practices
4. Ethical, including bribery and corruption, and the use of child and forced labour
5. Political, like armed conflict, civil unrest, breakdown of government and the failure of law and order.
   
   

Understanding the particulars of each key risk that each important supplier is potentially subject to is essential. Without it, the organisation might not only suffer the direct consequencues of the occurrence of a key risk operationally, but also financially in the form of regulatory penalties and loss of custom - maybe even the viability of the organisation.

Detailed discussions with important suppliers will doubtless be required, either to clarify aspects of received documentation about risks, or when no documentation has been provided.

Ignorance is not bliss regarding supplier risk, it’s indefensible, and just asking for trouble.

The failure of its suppliers to effectively manage their own risks can move those risks down to the organisation. Maintaining strong awareness of each supplier’s key risks and their most probable causes is necessary for the organisation to be adequately prepared for dealing with their occurrence.

Develop specific mitigations for each important supplier’s key risks

Consideration of each important supplier’s key risks and their various causes provides an essential basis for formulating relevant mitigation approaches. Ideally, some fairly standardised mitigation approaches could be designed for similar causes but tweaks and customisations should be expected.

This will be determined by the uniqueness or generality of the causes of those risks, the categories they fall into, and the specific influencing factors that apply in each case.

New practices and processes might be needed, and any automation possible will be a great timesaver and enhance adoption.

Ideally, existing tools, technologies and services can be leveraged, and sufficient justification assembled for the acquisition of improved and/or previously unused mitigation options. Unless there’s a really good reason, all mitigations should align with the organisation’s current risk tolerance level.

Activation of any prepared risk mitigations might reveal shortcomings and inconsistencies, or suggest areas where improvements can be made and redundancies removed.

This activation can be baptism by fire, requiring quick analysis of how things are tracking and even quicker development of any necessary course corrections.

Lessons learned should be adopted and all necessary changes applied to the supplier risk catalogue wherever relevant.

Dealing with unforeseen supplier risk

It’s impossible to anticipate the nature of every possible supplier risk that might seriously impact the organisation, let alone the likelihood of its occurrence. The environment alone that any supplier operates in is subject to uncountable variables and random influences. So too is the how, why, when and where of the way it operates.

This means the organisation will inevitably, sooner or later, bump up against the problem of dealing with unforeseen supplier risk, which generally arrives by surprise. This is a classic case of the known-unknowns, where you know there are things that you can’t predict, and unknown-unknowns, where you don’t know what you don’t know.

What can be done?

Insight about currently unforeseen supplier risk might be gained from reviewing the vulnerabilities addressed in the organisation’s business continuity and disaster recovery plans, and possibly those of important suppliers where the relationship is quite cordial.

Any relevant threat scenarios considered in the organisation’s strategic plan might also be useful.

Dealing with something totally unforeseen can only start with operational awareness that it is imminent, in play or has actually happened.

Someone somewhere might get an inkling that something isn’t right, or it could be immediately apparent if unexpected or unusual effects are being felt. Where the effects could have known causes, only the elimination of those causes from enquiries would provide adequate proof that an unforeseen risk has occurred.

Discovering an unforeseen risk’s root cause is likely to be needed for development of effective preventive solutions but not necessarily for remedial mitigations, whether temporary or final.

Adaptability and its enabler, agility, are key, and planning is critical for agility.

Referencing the supplier risk catalogue might be the only way of determining if whatever has occurred has already been considered and preventive measures established. This means the organisation’s detailed guidance about how to deal with anything unforeseen should be contained within or closely located to the catalogue.

Following finalisation of any remedial mitigation approaches used to deal with the impact of an unforeseen risk, the supplier risk catalogue should be updated accordingly.

Any learnings derived from use of the guidance about dealing with unforeseen risk should also be incorporated into the catalogue.

Cataloguing supplier risks and mitigations

Development and maintenance of a searchable electronic catalogue of the key generic and individual supplier risks for the organisation is a must-do. The set of viable mitigation options for each one has several benefits that more than justify the effort, including:

• The same or similar mitigations can be quickly adopted for other suppliers subject to similar risks
• At-hand guidance for dealing with the unexpected occurrence of such situations, particularly for the less experienced, allowing a rapid response to help limit the impact.

The experiences encountered in dealing with those situations provides insight into improvements and alternatives that may not have been considered or possible previously, such as:

• Details of unexpected situations can be added on occurrence, along with details of mitigations that worked
• Slight variations in similar mitigation strategies can be detected and smoothed out where relevant to increase their level of standardisation and applicability
• Periodic supplier risk analyses can be simplified and accelerated based on the risk inventory maintained in the catalogue
• Suppliers, risks and/or mitigations that have been effectively removed over time can be noted as such in the catalogue but retained for guidance in case reinstatement is required
• An impact level assigned to each risk can be used to indicate the relative frequency for assurance testing of the ongoing validity of its mitigation approaches by both suppliers and the organisation.
• A simple read-only spreadsheet that’s only centrally accessible can suffice for an organisation with a small number of suppliers and few if any regulatory compliance obligations. A strong change management approach will be necessary to maintain integrity of the spreadsheet.
• A wide range of software products with varying levels of specificity, capability and cost is available to meet almost every need with respect to supplier risk management for the larger or more sophisticated organisations with more than a handful of suppliers.
• Risks and their owners, causes, contributing factors, likelihood of occurrence, impacts, mitigations and their owners, and other pieces of useful information should be grouped into categories to assist with searching for details in the catalogue.

The benefits of supplier management software

For businesses looking for a more sophisticated way of cataloguing and managing supplier risk, supplier management software can help. Gatekeeper helps you to centralise your supplier records for greater visibility, automates compliance and provides additional modules that can enhance your risk visibility. These include:

• Integrated risk intelligence feeds within MarketIQ, giving you real-time access to your supplier’s financial status and changes, including credit risk and credit scores.
• Security Scorecards that allow you to see if your suppliers are up-to-date with practices related to data security and protection.
• A dedicated Risk Module where you can assess supplier risk by Probability and Impact, so you can take early remedial actions to mitigate any issues.

Wrap-up

There’s no doubting that ‘caveat emptor’ was a well-understood concept long before the Romans turned up uninvited with their catchy phrase, providing evidence that supplier risk has been an issue forever. In these modern times, that’s truer than ever.

It’s easy to associate modernisation with acceleration, because nothing has really gotten slower since the industrial revolution kicked off a few short centuries ago.

Things just happen faster now, reducing the lag between occurrence and effect. This can be a problem when the occurrence is a complete surprise.

Prediction and preparation are the way around this problem, with success based on the accuracy of the first and the effectiveness of the second.

Murphy’s Law requires that neither will be achieved 100% of the time, but that has to be the target. Things will always fall through the cracks because nobody’s perfect.

Dealing with supplier risk could almost be the poster child for using the predict-and-prep process. The risk catalogue is the outcome of the process, containing details of predicted risks and their causes, and the methods prepared for mitigating them.

Easy access to the risk catalogue by all stakeholders in a supplier’s provision of products and services, and the relevant contracts, helps to keep it fit-for-purpose, up-to-date and useful for raising awareness among the people who need to and should know about the risks associated with their suppliers of interest.

Is it hard work to gather and get on top of all the details? Emphatically yes, particularly when there are lots of suppliers and few resources available to do the work or have it done.

Is it worth the effort? Absolutely. Being able to deal with occurrence of a supplier risk as quickly as possible by following an established approach will reduce response times to and limit impact of the risk, and boost resilience. Lessons learned can improve the approach for any recurrence.

Don’t have a risk catalogue in place yet, or have one that could do with some TLC? Better get a wriggle on and do the necessary. Coming to a hard stop while accelerating can hurt.

If and when supplier risk occurs with non-trivial results, good answers will be needed to the questions “How did this happen?” and “Why weren’t we prepared?”.

Having a comprehensive and current supplier risk catalogue available showing the level of risk preparedness in place might provide a handy get-out-of-jail card.

If you would like more information about how to develop your supplier risk catalogue, or how Gatekeeper can assist with that activity, then contact us today.