Spend Matters welcomes this guest article by Len Prokopets and Byron Tatsumi of KPMG.
Supplier risk management is not a new concept. We often can’t help but consider supplier risk as we read the news, invest money in a company’s stock, eagerly await the release of the next generation of mobile device or even just purchase groceries. Most companies see supplier risk management as a key priority and many have initiated programs to address it. However, supplier risk programs, as well as various other operations improvements such as ERP implementations, supply chain and process improvement and business intelligence efforts have had limited impact on supplier risk. Based on a KPMG global study, fewer than 19% of companies believe they have attained a “leading practice” level of supplier risk management. There is no shortage of examples where companies suffered significant harm as a result: damage to brand and reputation, delays in launch of major new products and services, disruption of supply, regulatory penalties and environmental health and safety events, among others.
Why is effective supplier risk management so elusive? For starters, companies often lack a comprehensive view of their third-party relationships or the impact that those suppliers can have on the organization. Companies also struggle to obtain the data needed to assess supplier risk – while some data, like public company credit ratings, is readily available, data on supplier regulatory compliance, supplier integrity and supplier production capacity can be difficult to obtain. Companies also struggle to utilize the data to analyze and predict risk. Furthermore, companies rarely establish programs that go beyond monitoring. Structured risk responses are rarely planned proactively, leaving various functions to scramble to address risk reactively when it is identified.
In order to establish an effective supplier risk management program, companies need to understand and overcome these challenges.
Figure: Typical Supplier Risk Management Challenges
In our experience, the following 6 steps can be used to address these challenges and to establish an integrated supplier risk management program:
Step 1: Develop a comprehensive enterprise view of third parties
For many companies, an integrated, up-to-date view of enterprise relationships with suppliers and other third parties are not readily available. Organizations need to analyze their spend on an ongoing basis, identify active suppliers, and cleanse and normalize the data to arrive at a mutually exclusive and collectively exhaustive (MECE) view of the supply base. In addition, it is important to consider other key relationships such as tier 2-n suppliers, distributors and others.
Step 2: Segment the supply base for risk management
Companies should identify suppliers that drive the greatest level of risk. Which suppliers pose the greatest risk to the organization’s major product launches, growth plans or projects? Which suppliers can disrupt ongoing operations if their deliveries are interrupted? Which suppliers pose the greatest risk to the organization’s reputation and brand, regulatory compliance and ability to meet environment, health and safety plans?
Step 3: Identify, develop and obtain the right supplier risk data
Companies should consider many different types of data, from a variety of sources in order to gain an understanding of risk. Examples include the OFAC economic/trade sanctions list, supplier financials/scores, business continuity plans, business continuity test results, information security plans, breach notification plan, vendor management plans (for those that have subcontractors to support your needs), internal business requestor requirements, internal risk subject matter recommendations, etc. Some data (e.g. capacity, compliance, etc.) is not routinely captured nor is it readily available from a single reliable source.
Step 4: Orchestrate ongoing data collection across the supply base
Collecting the data means enrolling suppliers into the program and managing and assembling a very large volume of different data elements comprised of both internal and external information.
Step 5: Translate risk data into insights
Supplier risk management works best when risks are predicted in advance and when they are related to the type and magnitude of business impact that they can drive. Understanding risk in the context of the business activities and earnings streams that they threaten is vital for prioritization and for mobilizing the appropriate response. This step requires a well-thought-out framework and an analytical model for supplier risk analysis. It also requires linkage of supplier risks to the products and services and earnings that they may impact. Technology for risk analytics are a vital enabler.
Step 6: Develop the organization’s playbook and tools for addressing supplier risk
The organization’s key actions for risk mitigation should be identified and formalized as “playbooks” to enable structured, repeatable and coordinated execution across the enterprise. Playbooks should include specific action plans with repeatable triggers, procedures, roles, responsibilities and measures. This entails clear definition of triggers, cross-functional execution steps and workflows, roles and metrics, as well as other elements. When executing to a playbook an organization can address risk more quickly, efficiently and effectively.
These 6 steps also require the right foundation – an operating model for risk management. Processes and policies, organization and governance, data, architecture and tools, service delivery models, people and talent management and performance management should all be aligned in support of risk management capabilities.
No doubt, effective supplier relationship management takes work, but with all that is at stake, companies should take stock of their current capabilities and approach for risk management and aim for an integrated model that includes the above 6 steps.