Making Sense of the Supply Risk Management Solution Landscape (Part 1) [PRO]

Enterprise risk has never been higher.

The COVID-19 crisis has been an accelerant to other enterprise risks, such as cyberthreats, employee health and safety, and most certainly, supply risks affecting suppliers in complex value chains. For procurement and supply professionals, managing this risk is challenging because they might not necessarily get credit for reducing supply risk that they do for reducing supply costs (spend), but risk certainly impacts them and their ability to help the business accomplish its goals.

Herein lies the good, the bad and the ugly. Supply risk management is a two-headed beast:

  • The ability to manage and mitigate RISK within the SUPPLY MANAGEMENT function (i.e., source-to-pay and broader value chain), including within the supplier management process
  • The SUPPLY-side aspect of enterprise RISK MANAGEMENT where enterprise risk and compliance (including to CSR/ESG goals) requirements get extended out to supply chains and third parties (e.g., suppliers!).

The “good” is the ability to extend and integrate enterprise risk/compliance out and back to the external partners that are woven into your business. Supply risk management is intrinsically linked with enterprise risk management by performing supplier risk management processes within the S2P process intrinsically as part-and-parcel of the TPRM (third-party risk management) process that sits within the top level ERM (enterprise risk management) and GRC (governance, risk and compliance) processes. Or put another way, if you’re going to reduce enterprise risk, you need to extend your risk management processes outside the four walls to your trading partners — and make sure that your internal stakeholders are aligned in that effort for business continuity planning (BCP).

As such, the “bad/ugly” aspect of poor alignment is the inability to execute these aligned processes given the fragmented terminologies, methodologies, regulations, stakeholders and solution providers/markets vying to help solve these issues.

We can’t delve into all the organizational issues here — e.g., the philosophical/religious battle of whether ERM or GRC is the best top-level methodology; or where sustainability best slots in; or who should own TPRM organizationally (GRC? Procurement? Both?) Regardless, when you start “connecting” the dots across (and within) these domains, you’ll see the potential linkages that are needed — and how many are lacking. For example, very few procurement organizations have helped establish a “single face to the supplier” via a supplier portal that integrates these various risk areas in IT, GRC, legal, etc. (i.e., beyond just a basic procurement/AP registration portal with some basic risk functionality). It’s a technical challenge and an organizational challenge.

We see many of our practitioner advisory clients struggle with how to unify all of these stakeholders and systems — and also just getting the funding needed to do so. They also struggle with what types of providers are appropriate to consider beyond the traditional silos or “lanes.”

In this Spend Matters PRO series, we’ll present a framework for supply risk management that not only is segmented to meet the objectives of supply-side professionals, but also integrates into the higher-level enterprise risk/GRC areas — and simultaneously reflect the current state of solution/services providers. This mega mashup market is messy because there’s a lot of provider overlap and also because of changing dynamics between SaaS solution areas — and because of changing provider market dynamics around content aggregation, analytics-derived intelligence (which is increasingly based on large communities of users and purpose-built machine learning algorithms), risk scoring methodologies and other areas.

Part 2 looks at four of the nearly 50 vendors that we’ll introduce in this space.

Part 3 looks at eight supplier management providers.

For full access to this PRO content: