Spend Matters welcomes a guest post from Tada Yamamoto, a Consultant in the Strategy and Operations Practice at The Hackett Group. Tada has experience with manufacturing optimization, four walls plant productivity improvements and inventory and supplier assessments. His most recent experience involved development of an S&OP tool and process for a major agricultural chemicals producer.
Risk has become an increasing area of focus for companies of all sizes across all industries, as recent economic crises and globalization have crippled several multi-billion dollar corporations overnight. While some companies successfully made it through the difficult times, resilience studies have permeated leading edge business research in both academia and within the industry in an effort to increase the longevity and viability of companies and placed a greater emphasis on risk management.
However, in addressing the question of how much to invest in risk mitigating practices, software, and headcount, a single assumption drives a large portion of the end result: "How risk averse is your company?" It is a seemingly simple question, but it can be very difficult to answer. But there's a question within that question. Executives find themselves really asking "How risk averse should I be? Am I risk averse to the point where I limit my supply options, or do I open myself to all suppliers, doing the best I can to manage risk knowing that I am taking the risk?"
The answer generally lies somewhere between the two extremes, but finding the sweet spot for each company is an art backed with threads of science.
As risk profiles change between industries and companies, it is difficult to objectively assess how much is too much, and conversely, how little is too little. A slew of companies, The Hackett Group included, have put together models and viewpoints on tackling the decision of how much to invest, where to invest, and even how to invest. Supplier risk is one major area where companies typically have less control and where a variety of third party solutions exist.
Understanding how risk averse a company should be starts by classifying the various types of risk. The Hackett Group has identified seven types of supplier risk:
- Operational Risk: The risk that involvement with a vendor/service provider may result in a negative impact to the organization's processes, systems and people, adversely affecting the ongoing business operations (e.g., potential for service disruption, reputational harm, failure to perform)
- Financial Risk: The risk that involvement with a particular vendor may result in a negative financial impact on profitability or results based on unexpected increases in costs or an inability to provide a service affecting company financial performance
- Business Continuity Risk: The potential impact a supplier could have to the timely resumption and delivery of essential services, business processes and operations in the event of a major disruption or closure of the supplier
- Technology Risk: The risk to an organization resulting from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction of information and/or information systems
- Compliance Risk: A variety of risks arising from violations or non-conformance with laws, regulations, prescribed practices or ethical standards
- Physical Security: The security of premises including, but not limited to, practices around badge cards and authorization of visitors, access points, and metal detectors. Additionally, the safety measures a company takes to ensure the well being of its employees is included in this area
- People Screening: The processes the company has in place to ensure that employees and contractors have the proper authorization and character the company desires
Evaluating each of these risks individually, a risk manager can begin to understand exactly where he or she may need to invest and how risk averse the company should be. Each area should be assessed as to the degree of impact a failure would have on the bottom line and the degree of difficulty it would take to overcome to determine the adequate investment. These will serve as data points to guide a decision and will vary significantly from industry to industry and company to company.
In addition to evaluating the facets of risk mentioned above, benchmarking the number of resources or amount of spend assigned to risk management and assessing best practices could be other data points to allow a manager to gauge a company's risk exposure. Still, while these data points can serve as markers to developing a robust and cost effective risk strategy, science can only go so far in establishing how much to protect a company.
A first level defense and risk mitigation should be built into any Supplier Relationship Management (SRM) program a company has in place. Simple questions on a supplier's historical financial health, specific financial ratios, and operational performance levels can indicate a supplier's initial level of risk. Ongoing monitoring throughout the supply relationship is necessary to evaluate all seven aspects of supplier risk. For the residual risk that remains in each of those risk areas, there should be a plan to mitigate or an awareness of the business exposure.
As previously mentioned, there are a large number of third-party risk management and mitigation tools, from simple dashboard providers to parties that will screen and monitor a whole host of suppliers. An external risk management supplier could make sense to allow the company to focus on its core competency or further business development, especially for growth companies. Still, these options should be weighed based on the perceived need for additional protection from risk.
At the end of the day, a risk management program can only make a company aware of and mitigate the potential risks it faces, but there will always be some left over. Over-investment in risk management can be just as costly as under-investment.
So how risk adverse should you be? Evaluate the above and look at your data points. You have the science that can guide you in making a decision, but ultimately, risk management is an art. Paint the canvas and cover areas that you feel need coverage, and maintain awareness of the areas that do not require regular coverage. In the end, your masterpiece will not be for everyone, but just as a painting suits a particular room, suit your program for your specific company without worrying about what someone else is doing.