Supply Chain and Procurement: Risk Management Strategy

cacaroot/Adobe Stock

Spend Matters welcomes this guest post from Maria Cecília Siqueira, of GEP.

Risk management has been discussed exhaustedly in every business forum in the last couple years. Yet in day-to-day operations, it may still be linked to its origins as a paper process restrained to the legal and compliance departments. Per EY studies, 82% of institutional investors would pay a premium price for effective risk management. Nevertheless, it would be safe to say that today risk management faces the “risk of apathy” with business managers.

Restricted to financial and legal aspects, risk management analysis neglects supply chain factors beyond a superficial supplier financial health assessment and fails to recognize the network complexity in which their own businesses lean on. According to the Supply Chain Resilience report (2016), 66% of managers do not have adequate visibility of their supply chain, yet 70% of them faced disruptions in that past year 41% of them occurring in Tier 1 suppliers, and 34% of them experiencing incidents with cumulative losses of at least $1 million, resulting in reduced profit margins, decreased revenue, brand and reputation damage, delayed deliveries and, ultimately, customer losses.

So, what are the gaps you can avoid and instead take a practical approach to secure a place in the category manager’s priority list?

Failure to Involve Key Players

Historically, risk management had a reporting profile, concentrated in value protection rather than expanding business performance and value creation. As Edward J. Buthusiem, from the Berkeley Research Group, correctly puts it, “It cannot be a process run by the lawyers for the lawyers.” To leverage its informative profile to become a practical corporate enhancement, business owners must be involved in the risk management process. While legal and compliance interpret the legislation, business owners must identify the operational ways to work with it.

In 93% of the companies studied in the University of Tennessee’s Managing Risk in the Global Supply Chain report, there were risk-dedicated professionals within their companies, but supply chain risk was not included in their processes. Additionally, in contrast with legal and fiscal inquiries, 100% of the companies did not use any outside expertise when evaluating supply chain exposure. In this scenario, any risk program would be consolidated with the companies’ isolated perspective of what could go wrong.

Today, however, there is no such thing as an “isolated company.” Supplier intelligence, insurance companies and logistics providers can bring game-changing inputs to the table, granting a coherent and realistic supply chain network interpretation. They then have an effective basis to identify and develop a risk management plan.

Superficial Approach to Priorities

To accurately rank identified risks, it is essential to consider broader aspects, such as a company’s vulnerability, risk magnitude, the likelihood of occurrence and presumption of early awareness. Despite that, many companies fail to visualize metrics beyond the standard supplier financial health stigma. Even when considering the vendor level, financial health is only one aspect of the system; elements such as logistics, politics and geography are important pieces of the puzzle that should not be neglected.

Risk has dynamic and complex global consequences, particularly in the last few years. Although strengthening supplier controls and SLAs is typically a manager’s go-to strategy, unplanned IT and telecommunications failure is the top cause of supply chain disruption, representing 60% of incidents per the Supply Chain Resilience Report 2016 for the fifth year running. In the report, currency exchange rate volatility has jumped from the 20th to the 7th position, and acts of terrorism appeared in the rankings for the first time.

Superficial approaches to risks do not serve companies’ needs and in our current reality, echoing issues for business continuity and an overall ineffective performance that compromises managers’ commitment to risk management programs.

Top-Down Accountability

Commitment to a long-term program must come with a clear and relevant goal. No manager will engage efforts, resources and valuable time just to complete a check-box program. Once risks are prioritized, you must develop an action plan directly related to each risk, ranked on the probability and the consequence level that an incident might cause. There are a range of different strategic approaches, such as assuming the risk, controlling it, avoiding it or even transferring the risk to another level of the supply chain. This approach must detach itself from exclusively audit and compliance to be part of finance and operational accountability. Defining who implements this risk mitigation and remediation program from a bottom-up perspective empowers those who have operational-level ownership to guarantee its applicability, as reinforced by Buthusiem.

Imprecise Visibility

At this point, mitigation and monitoring are ongoing and risk management programs often struggle with lack of visibility. It may be difficult to assure commitment to a program that would be noticed if it fails. Even then, over 65% of incidents that occur are not reported on a corporate level but rather silenced between restricted departments, 70% do not have a formal documented business contingency plan in case of an incident, and 40% of managers do not analyze the real source of disruption. Unfortunately, as George Santayana brilliantly stated, “Those who do not remember the past are condemned to repeat it.” Risk mitigation should consider cost opportunities and value creation to enhance business performance.

As an example, IBM is a global benchmark when it comes to bringing risk management to the next level. Due to its supply chain complexity and long supplier lines, there was no tool available in the market that could bring the precision needed by the business. So, the company developed its own Total Risk Analysis (TRA) tool and patented it. The tool analyzes qualities of country-product-components in more than 50 countries and gives managers the ability to react instantly if any piece is unstable or in crisis through text messages. This tool was crucial during Japan’s tsunami and during the bombings in India, giving the business owners immediate communication time to react and trigger contingency plans. IBM could remediate any possible impacts in less than one hour after the disasters occurred.

Common and costly, supply chain disruptions can come in unforeseen shapes and forms, but establishing a mature risk management program and avoiding stereotypical approaches can assure business continuity in a crisis. At some point, every business will face risks while working toward its goals. However, once managers can develop their programs with a focus on performance enhancement rather than a paper process system, risk management can become a decisive tool to empower competitive advantage.

First Voice

  1. Val Jonas:

    Excellent article. Risk within functional areas such as procurement / supply chain are hidden vulnerabilities that managers continually ignore. Interesting too that supply chain is so dependent on IT and communications failure. Anything we can do to raise the profile of such weaknesses in business is most welcome.

Discuss this:

Your email address will not be published. Required fields are marked *