Back to Hub

Procurement’s New Year resolutions for tackling supplier risk

Adobe Stock

This content does not express the views or opinions of Spend Matters.

After the last few tumultuous years, procurement teams are still facing steep challenges in getting ahead of supplier and supply chain risks. Some organizations have opted to invest in new, more robust supplier and third-party risk management (TPRM) systems, while others are optimizing their existing systems. I’ve seen a wide range of approaches to building out these practices, from just getting started, to good, better and cutting-edge methods of leveraging people, processes and technology.

Unfortunately, there are no signs that the heightened frequency of disruptions we’ve seen over the last few years will abate in 2024. And since the new year is the perfect time for making changes, I challenge you to take on a procurement New Year’s resolution: to identify where you are in your current supplier risk journey and commit to achieving the next level on that maturity curve before January 1, 2025.

Whether you’re just starting out or you’re working on optimizing current processes, here are some tips towards making this resolution a reality.

Become the go-to source for risk

Procurement organizations are increasingly establishing themselves as the central source of risk data for all suppliers. Unsurprisingly (for anyone in procurement) much of that data is still siloed within various departments and business units. It’s common for TPRM, CISO/IT, ERM and Finance to hold onto the risk data, assessments and incident response information (when something goes wrong) concerning their suppliers and vendors. But this is inefficient, inconsistent and often confusing.

Procurement organizations that position themselves as the centralized, go-to source for data, assessments, monitoring and alerts can become trusted partners who can maintain the risk intelligence needed to support the business with insights, trends and a common view of the risks posed across the extended supplier ecosystem.

Increase visibility

To become the go-to source for risk, procurement must broaden the scope of risks considered across the supplier lifecycle. Cursory reviews of revenue numbers and credit ratings to determine financial risk are a thing of the past. To meet the needs of stakeholders across the organization, procurement must gain a broad, multi-factor view of risk that is relevant for different types of suppliers and deep enough into the details to make educated assessments.

Financial data including cash flow, liquidity and solvency can be extremely helpful in predicting risk beyond the horizon. Data on cybersecurity and hygiene, catastrophic weather events, pandemic response, geopolitical turmoil, the ever-growing restrictions and sanctions lists, and Environmental, Social, Governance practices (ESG) are all necessary to consider when working across teams with varying needs.

The more attributes you can access within each of those big-picture factors, the better you can predict future vulnerabilities and disruptions to your business operations, revenues and reputation — and the more support you can offer to teams that have unique needs for risk management.

Secondly, procurement needs to expand continuous monitoring of suppliers for changes in risk and disruption events in a more scalable way. Annual or biannual reviews of critical suppliers are important and play a strategic role in supplier collaboration — but often it’s the less-critical suppliers that can create problems for your business, simply because no one really pays attention to them until a problem arises. That goes double for sub-tier suppliers — just ask any company that has found out about a sub-tier supplier using underage labor to process raw materials by reading about it in the news headlines!

An early warning of an emerging risk or a potentially disruptive event can go a long way to avoiding or reducing the pain before the risk materializes and has an impact on your business. The farther out you can see, the longer the runway you have to make adjustments before you’re right on top of them.

Understand materiality

Understanding the materiality of the risk is where we start to get into ‘better’ and ‘best-in-class.’ Defining the risk appetites for different suppliers based on their potential impact to your organization is key to improving risk management. This is NOT the legacy process often used to shortlist ‘critical’ suppliers for enhanced due diligence, continuous monitoring and regular reviews.

Rather, this is a scaling up of risk assessment and monitoring across more suppliers, but with materiality used to set risk thresholds based on the impact of a certain risk to your business by a set of supplier attributes.

‘One-size-fits-all’ certainly doesn’t work for supplier risk management. Afterall, cyber risk is extremely important for critical information system vendors, cloud hosting providers, etc. But limiting cyber risk to IT systems and services vendors leaves an organization exposed to other types of vendors and suppliers that have access to sensitive data.

By using Materiality as a key factor, you would apply cyber risk to a marketing agency that uses your customer data to provide direct mail services or apply ESG risk to a sub-tier raw material vendor that is located in a country with less stringent labor and environmental protection laws.

Focus on actionability

Finally, procurement must be able to tie the risk intelligence gained from broad and deep visibility, the materiality that has been applied to map the risk appetites for different types of suppliers, and the benefits of continuous monitoring, to take decisive action to mitigate these identified risks.

The action plans that are kickstarted when a disruption is identified are as varied as the types of suppliers and risk events found across any supply chain. They can range from holding POs or payments, to re-sourcing alternative suppliers, to increasing inventory. The list goes on. But you must define a clear, consistent connection between the risk signal and the mitigating action.

This can protect your business from a production disruption, lost revenue or a major hit to your brand reputation. But it can also be a significant competitive advantage when you can respond faster and more strategically than the competition. Not only can you capture spare capacity or buy inventory before your competitor — but in the case of a newsworthy disruption, you can stand out as the leader while your competitor’s reputation (and their stock price) suffers.

Achieving these core concepts for improving supplier risk management requires less personal sacrifice than the standard New Year’s resolutions, and will deliver visible results in generating higher awareness of the weak spots in your supply chain and a more proactive approach to mitigating future vulnerabilities.