“Risk” and “compliance” are two words that are often seen hanging around together (e.g., the “R” and “C” in GRC), but while they look alike, understanding their differences is actually very important, especially to supply chain and procurement organizations.
Compliance is basically about things that you have to do to meet requirements, usually external requirements from regulations or customers that translate to internal policies and processes. Although compliance requirements may stem from well-meaning regulators, NGOs and customers, they are usually seen as constraints that must be prioritized and adhered to with minimum cost and effort. This is not very helpful to creating shareholder value.
Additionally, although many compliance regimes are geared somewhat towards reducing risk, compliance has very little to do with the real risks in your business and your supply chain. In fact, all the time you spend documenting process X for regulation Y means you’re not focused on the bigger picture of risk. You’re compliant, but you’re still unprotected.
Risk is basically the effect of VUCA (variability, uncertainty, complexity and ambiguity) on an expected result that you want. Supply risk is about reducing VUCA in the supply chain (i.e., de-risking the supply chain) in order to assure supply [performance] that your stakeholders need.
But supply risk is everywhere and nowhere (hidden). We don’t just “not know what we don’t know,” but we sometimes don’t even want to know (especially if we’re not explicitly measured on it). And even if we did know, we can’t fix it because supply risk is often viewed as a glorified insurance policy by short-sighted c-level executives, and we struggle to build an ROI that is competing for limited funds against other projects focusing on economic returns rather than risk.
So, you’re stuck in the supply risk swamp and bogged down by compliance regimes. And you know there is waste everywhere and opportunity all around. So, as a supply professional, what should you do? You need to align risk management and compliance management with not just each other but with performance management (including continuous improvement) — and tie them all into your value chain processes. As those processes go upstream and external, this is where procurement and supply chain groups feel this problem — and need for alignment — more than anyone in the enterprise.
Getting this alignment, and mobilizing resources to do it, is a fairly complex and nuanced topic, and one that I will be covering in an upcoming research series. But for now, let me give a practical recommendation (and example) that addresses the issues above related to “check the box” compliance regimes and floundering supply risk programs. One proven strategy is to use a big external compliance requirement from a regulator, NGO or customer and use its inertia and energy to fund building capabilities (e.g., supply market intelligence) that can reduce risk and even save some money. I talked about this specifically in an interview focused on EPA regulations and more generally as an example of a CPO skill that helps get alignment with stakeholders:
This ability to perform “organizational judo” is a crucial change management strategy for a CPO to master. The CPO should opportunistically use the weight of such “burning platforms” and initiatives du jour to help support (and fund) current or planned procurement initiatives that might struggle individually on their own.
Let me go beyond EPA though and give a more global example. ISO9001 is the only certifiable management system framework (which includes a whole section on managing external providers) within the ISO9000 family of standards, and last year it got a much needed overhaul. One if its major improvements is acknowledging that supplier products (and services) are not compliant in a vacuum. They are threatened by supply risks in the supply chains and must be protected.
I just read a really good whitepaper (yes, I read white papers, too!) from riskmethods and it talked about how supply chain risk management dovetails with the closed loop management system implicit in ISO9001. It also makes the same argument I made above about using the fact that you need to re-certify on ISO9001:2015 by 2018, and if you’re going to do it, and support the risk management guidelines, you might as well do it right with a proper supply chain risk management platform. You can download the paper here, and I highly recommend it as an initial read, but stay tuned for my upcoming series on ISO9001, supply management systems more broadly and their importance to supply chain and procurement.