How the importance of risk management has changed for procurement – and what to do about it
10/31/2024
A common thread among the conversations we’ve had recently with senior procurement practitioners tells of the extent to which attitudes towards risk have changed over the past decade.
As little as 10 years ago, we heard stories of pretty much indifference to risk: “supply risk management was young,” we heard, and “we didn’t worry too much about risk; we spent a very small percentage of our time on it.”
That statement couldn’t be less true today. According to one procurement leader we spoke to, all that changed around 2020.
Stephen Bertolami is an experienced procurement leader who has spent the best part of 25 years in operational roles across real estate and financial services, optimizing global operations for some of the world’ largest organizations. He shared some of his observations and experiences with us.
“Just ten years ago,” he says, “social unrest, environmental change, much greater incidents of natural disasters like large-scale hurricanes, cyber attacks, tighter regulations and so on didn’t weigh so heavily on procurement minds. Today, just the combination of the words risk, environment and supply chain make the practitioner sit up and think differently. It was around 2020 when I saw organizations really start to focus on risk, both the broader risk in their environment and the risks in their supply chain.”
And Stephen is not alone. According to our senior analyst Bertrand Maltaverne who specializes in risk-management solutions: “The focus and perception, and even the nature of the risks that procurement practitioners face, have changed drastically. Traditionally, procurement was very focused on a firm’s financial health, and controls regarding these aspects have been in place for quite a long time (this is why all major supplier management solutions have had D&B integrations for more than 20 years). However, things are very different today. Risk encompasses many dimensions and layers. It is very complex.”
Risk priorities differ by industry …
The way risk is treated and the type of risk profile companies worry about very much depends on the industry and varies significantly.
“In financial services for example,” says Stephen, “the biggest risk concerns are around cyber attacks and data breaches. And that focus has become even greater since we’ve witnessed more of them happening. In addition to that, the regulatory environment has placed more pressure on organizations, particularly in the EU and United States, where quite significant regulations apply to the sharing of the third-party data they collect, requiring them to treat this much more seriously than in the past.
“Similar constraints are equally high in life sciences industries, like biotech, where you are dealing with personally identifiable information. Those organizations are stewards of that information — and they have to protect it.
“On top of that, for all organizations, the threat of unrest, war, pandemics, natural and man-made disasters can require suppliers to rethink and relocate. So these real-life practical considerations also come into play for the practitioner, and finding alternative sources of supply becomes a priority. The stability of the supply base has never been more important for procurement leaders, particularly regarding the use of more diverse suppliers, which by nature may be smaller in scale.”
… and so do mitigation strategies
So what type of mitigation framework does one try to build around addressing these risks?
“To start with,” he says, “one of the biggest challenges many organizations face is establishing who it is that owns risk. Different parts of the organization think they have responsibility for different parts of the risk in question. Larger firms might have a procurement team, a risk and resilience team, a legal and compliance group, an IT team and so on. And all these individual teams own some level of responsibility or accountability. But from my experience, each team does this very differently, with each using its own technology to manage risk.
“One of the big wake up calls I once had was when our chief information officer asked for a list of our highest-risk suppliers. It’s not uncommon for each department to have its own list of suppliers and its own supply of risk data. So when that happens, you have to work really hard to bring those teams together and agree on an organizational structure.
“This is not necessarily a case of realigning the organization, rather agreeing on a collaborative construct so that everyone is working towards the same set of goals. That’s a huge step forward. This can be the most difficult thing to achieve because, as we all know, people like to own their assets. They don’t like the idea of others meddling in their business, so it can be tough to get past that boundary.
“In one case, we conducted a third-party assessment that indicated problems with our structure, both in process and technology, which propelled us to make a commitment to a few changes. One was that procurement would be the responsible owner of the process and operation.
“This made the most logical sense. Procurement already understood the supply base. It had a process in place for vetting, contracting, on- and off-boarding and managing the lifecycle of the supplier relationships.”
Stephen was very candid when he told us that even as a procurement leader, he wasn’t very excited about this at the time. “Procurement loves the relationships it builds from value creation,” he said, “but risk mitigation, until more recently, hasn’t been something that stakeholders fully understand. It’s often felt that it just adds more time to the procurement process. And, frankly, it does. If you are spending 40% of your time dedicated to risk vetting, because you don’t have the right technology and support to help you, it can take a huge effort. But once you’ve agreed on the who’s who of risk responsibility, then you can take that step forward towards a commitment to technology.
“But whichever system you use, you have to be prepared to spend time optimizing it, aligning it with your processes and pulling in the diverse set of data you have on suppliers. And that can be a two-year effort, because you first have to get to a baseline.
“One of the things we learned from that exercise was a real game changer. For the first time we were able to see who were our higher-risk suppliers, what their profiles were and in which categories they existed. But we learned some other really important things from that as well.”
Learnings from a risk assessment
Stephen took many learnings from this exercise, one being that their criteria, or the way in which they measured and categorized their suppliers in terms of risk level, was too extreme.
“By way of example,” he said, “when some of the financial risk requirements came into place in the early 2020s, like Sarbanes Oxley in the United States, we were overly cautious and went too far in one direction. So at a time when 15%, as a ballpark, of the supply base was traditionally identified as high risk, we had identified 30% or 40% of ours. So sometimes firms don’t quite have the levels right on how they are identifying where risk exists. That was a big learning for us, and it allowed us to adjust how we measured risk and where risk truly lies.
“I also learned that organizations can be putting an awful lot of effort into categories and suppliers that really don’t represent a big risk for them. Take travel for example. You may have detailed resilience plans in place for your travel program. But when Covid came along, firms were really pressure-tested by some of the real-life risk that was happening. And when a travel provider went down, people just booked directly with airlines. So why did we spend all that time focused on travel mitigation strategies?”
The point is, organizations need to understand where real risk exists and where to place their energies. Our analyst Bertrand points out that: “This is where risk modeling is key to giving an organization the ability to define its own ‘risk recipe’ (what matters and how much) based on multiple criteria including industry and geography/footprint. In addition, evolutive models bring a lot of value because they can self-adjust based on various signals, including something similar to ‘lessons learned’ (where a risk that was thought to be high never led to an incident or had minor consequences).”
Real risk events affect where you prioritize risk
“Covid taught us a lot about structured resilience plans,” says Stephen. “Most firms will have a nice big ‘book’ of plans. But I wonder if they ever look at them? Probably not. And that’s because, generally, they are stale. They typically anticipate tangible, low-incident threats. They don’t anticipate a sudden move to get everyone set up technically to work remotely for instance.
“In my experience, within two weeks of shutting down our offices, our entire 40,000-person company was working remotely — and effectively. At that time you realize that all the structure you’ve built around physical offices has turned out to be pretty unimportant. What does become very important is technology reliability, availability of devices to enable workers to work remotely and strong network connections for international operations. And that might require alternative routing systems for Wi Fi so that you can provide backup for teams working in regions with less stable infrastructures.”
Real-time monitoring and scenario testing is more effective than making plans
Another learning came not just from Covid but from the broader challenging environment of geopolitical unrest and environmental impacts. He realized that it is much better to put your energies into proactive monitoring than to spend time on the creation of complex mitigation plans for events that may not play out as you’ve planned.
“Let’s take the example of a large event happening in your location,” he says, “something like The Olympics or a large demonstration. You know it’s going to affect your ability to proactively plan ahead for your business. You might even have to consider how it’s going to affect access to your building or site. If it does, are your staff set up to work from home? These are things you have to actively monitor and assess so that you can deal with these real-world circumstances and take action, rather than having a plan sitting on a shelf for something else that might happen. You need to be aware because no individual risk plays out in the same way. For the organizations I’ve worked with, real-time monitoring has made the biggest difference.”
Educate and communicate on why risk matters
Stephen shared another learning — that if you want to assess and mitigate risk effectively it’s important to put more energy into educating your stakeholders. “They need to understand why risk matters,” he says, “and why they need to engage with procurement. When the businesses don’t understand risk, they get frustrated because it slows down processes. It’s made worse because they don’t understand their role — or whether they even have one.
“And while procurement managers are busy managing, it’s the people on the ground doing the day-to-day supplier liaisons that can make the biggest difference. For them to understand the risks and be able to work with the suppliers to mitigate them can be very powerful. But you can only do that through education.
“From one of my experiences, we actioned that by working closely with the IT cyber security team and with the compliance group to put together a type of marketing and education program built around engagement of our stakeholders to build their awareness. That included things like online training, educational snippets about why risk matters and carrying out phishing tests through our email system to educate people on those kinds of risk.
“But it’s equally important that the various business groups, like technology, legal compliance, the risk team, the procurement team, come together to inform their own teams on why it matters and to share and align information to allow the organization to be successful in this space.”
Risk is a joint responsibility
As we said, it makes sense for Procurement to own the risk management process and operation, but risk affects everyone and everyone has a role to play.
“If Procurement owns the responsibility for the process and for the centralization of the data, and then gives their peers and stakeholders visibility of that data, it helps them understand where the challenges are. It can then partner with them to reach resolutions and mitigation strategies. For me, that’s the ideal state, because the data and the process, in and of itself, is not going to solve the problem. It’s a coming together of people, process and technology.”
Many thanks to Stephen Bertolami for sharing his extensive experience with us and contributing to our series on risk management for procurement practitioners.
Consult our in-depth guide to risk management for many answers to all of your questions.
For anything else, as always, please reach out.