Supply chain risk management (SCRM) is becoming a top priority in procurement, as organizations lose millions because of cost volatility, supply disruption, non-compliance fines and incidents that cause damage to the organizational brand and reputation.
Bribes to shady government officials, salmonella in the spinach and forced labor in the supply chain can all result in brand-damaging headlines that can cost an organization tens of millions in sales and hundred of millions in brand damage. And while reputation may only be important for name brands, cost volatility and supply disruption affect all manufacturers.
In fact, in the latest 2015 study by the Business Continuity Institute, supply chain disruption doubled in priority relative to other enterprise disruptions (48% of firms are concerned or extremely concerned). Roughly three-quarters of respondents said they had at least one disruption, and the same amount lack full visibility of their supply chains.
In the same study, 14% had losses from supply chain disruptions (e.g., natural hazards, labor strikes, fires, etc.) that cost over €1 million, and these disruptions can easily go up to nine figures. For example, Toyota estimates the costs for the recent Kumamoto earthquakes to be nearly $300 million. Imagine being out of stock on a product line that does $12 million in annual sales for two months. That’s $2 million in immediate lost sales and longer-term brand damage.
Many organizations try to deal with this through point-based supply risk management solutions centered around supply chain visibility, corporate social responsibility or supplier management, trying to implement the top-down “program du jour.” But what usually happens is a solution is acquired, key strategic suppliers are vetted once in a "check-the-box" compliance initiative and that's it. Supply chain risk means managing the entire supply chain, not just tier 1 suppliers. All tiers, distributors, carriers, ports, transportation hubs, warehouses — a delay or disruption can start anywhere.
Risk management, and what is necessary for ongoing risk management, never gets operationalized, and as new suppliers get added, supply shifts and supply chains change, new risk enters the picture — risks that go undetected unless risk management is embedded in all key procurement activities, including sourcing. It is important to remember that:
1. When You are Sourcing, You are Really Changing Your Supply Chain Network
It’s easy to get lost in the mechanics of sourcing new suppliers and not see the broader supply network implications. For example, you may think you are hedging by dual sourcing, but if those suppliers in turn are sole sourcing to the same critical tier 2 or tier 3 (or 4 or 5!) or all reside in the same GEO (think flood plain) as an example supplier, you are also basically sole sourcing without realizing it. Another example is to consider how elements such as transportation costs, tooling costs (and related capacity) and geography-specific risks have cost considerations that factor into the sourcing process.
2. Supplier Risk is Only One Aspect of Supply Chain Risk
When organizations consider supply risk within the sourcing process, they tend to focus on supplier-specific risks rather than the broader supply risks that get "inherited" from the nature of the items being sourced, the countries they originate from or flow through, the modes of transport and handling, the logistical hubs (or any location-specific asset), the sensitivity of the intellectual property of the items and the nature of customer-specific requirements passed back to you.
3. Your Sourcing Criteria Must Be ‘Protected’ and Risk Must Be Factored In
If you have created a "balanced scorecard" of sourcing requirements beyond cost (e.g., delivery, quality, flexibility, innovation, sustainability, etc.), congratulations! Now the question becomes to what extent you want to protect those performance metrics that are most important to you. Supply risk management is essentially about protecting supply performance outcomes. Depending on what’s most important, that will drive what risk types and mitigation approaches to consider.
4. You Need to 'Cost the Risk' and Also Get It in the Contract
Once you have prioritized your supply (and supplier) KPIs, and have analyzed the biggest risks that threaten those KPIs, you must then analyze your options for risk mitigation (e.g., complexity reduction, early warning detection, faster recovery time, financial insurance policies, etc.) and then estimate whether you or your supplier (or a third party) has the lowest cost to treat and mitigate those risks so that you can plan for your supplier negotiations and contracting appropriately.
5. You Must Design a Monitoring System That is Part of Onboarding
Most procurement professionals understand that savings are not realized during sourcing, but rather, are accrued during the execution process, with automated and failsafed monitoring being the goal to create transparency for all stakeholders. The same, however, goes for risk. Unless you have a means to automate the most important risk monitoring activities, and provide immediate transparency and alerting to key stakeholders, the costs of such monitoring will lead to poor or no monitoring and increased risk. And this will eventually come around to bite you financially.
In other words, risk needs to be ingrained in the sourcing process. With the right process, and platforms, this isn't all that hard to do. Suppliers should be pre-vetted during the identification phase at a basic level to make sure they are financially stable, corporately responsible as far as anyone knows (which can easily be determined by way of reports from third-party CSR providers) and not on any denied party or watch lists. The risk of natural disaster, political embargo, civil unrest or war in the region should also be identified not just overall, but specifically mapped to critical supplier locations (e.g., supplier plants located near the vocanic ‘ring of fire’ on pacific coastlines).
Then, if they are in serious consideration for an award, detailed questions can be asked, records checks can be performed, mandatory CSR requirements can be defined and risk monitoring and mitigation processes assessed and specified appropriate to the level of risk. And when it comes time for an award, regular inspections, mandatory initiative and progress reporting, regular performance metrics and use of the supplier portal can be insisted upon as part of the award. With proper procedures and processes, all of the above can be addressed and the organization can work toward maintaining the metrics and brand that is important to the organization.