Supplier risk management framework


Published on

What's keeping you up at night? Supplier financial risk? Environmental risk? Risk to brand or reputation? Geo-political risk? Third party risk? outsourcing relationship management? supply? Here are some thoughts on an effective supplier risk management framework.

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Supplier risk management framework

  1. 1. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier / Supply RiskCorporate ServicesMay, 2013
  2. 2. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier / Supply Risk management overviewVendorFinancialPerformanceVendorQuality ofServicesthe corporationReputation andBrandViabilityQualityRegulatoryComplainceDeliveryCustomerServiceInnovationSafetyOrganizationVENDORS
  3. 3. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comVendor Relationship Risk Management – what if?• What would the impact be to the corporation if a strategic / critical vendor failed?• How confident are we that one or more of our critical vendors are notin financial difficulty?• How would our stakeholders react to the failure of a critical vendor• What would the impact be to the corporation’s reputation if one of our vendorscauses a major security breach?• How do we effectively assess and monitor current and potential vendors’financial and operational health?• What actions would we take if a vendor were to face difficulties, orcauses difficulties for / to the corporation?
  4. 4. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comVendor Relationship Risk Management – today’s realities As the economic climate continues to stagnate or deteriorate, the corporationshould be concerned about the viability of our critical or strategicvendors The impact of vendor failure could prove to be significant, including: Disruption of service and product delivery Reputational damage Business continuity Loss of revenue Threat to competitive advantage Significant use of management time sourcing alternative vendors Potential business failure Supplier Risk Management maintains an up-to-date view of the operational andfinancial position of strategic / critical vendors Vendor risk issues are increasingly board-level concerns due to thesevere financial, operational and strategic consequences disruptioncan cause. This is coupled with greater regulatory scrutiny, who wantconfirmation that the corporation is robustly managing vendors to limit vendorrisk
  5. 5. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comVendor Relationship Risk Management – benefitsThrough the supplier risk management program, the corporation will be responding faster to the increased volatility andpressures stemming from globalization, outsourcing, the current economic environment. The corporation Vendor RiskManagement framework will:Ensure or improve thecontinuity of servicesthrough earlywarning systemsand enhanced vendorinformationProactively addresscritical concerns byfacilitating bettercommunication andrelationships withvendorsIncrease control overpotential disruptionsin our supply chainand increase ourability to proactivelymitigate riskMinimize or eliminateunplanned reactivecosts such as findingalternative vendorsat short noticeEmbed the improvedvendor riskmanagementframework acrossall aspects of vendor /Sourcing and LOBactivityProvide stakeholderswith reassuranceabout the controlcorporate serviceshas over the risksin the supply chain
  6. 6. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comPerformanceCAUSES(Categories ofPredictive Measures)DISRUPTIONEVENTS CONSEQUENCES (Impacts)Human ResourcesSupply ChainDisruptionFinancial HealthEnvironmentalRelationshipQuality, Delivery,Service ProblemsSupplier Union Strike,Ownership Change,Workforce DisruptionSupplier LockedTier II StoppageSupplier Bankruptcy(or financial distress)Disasters (Weather,Earthquake, Terrorists)Misalignment ofInterestsFinished GoodsShipments StoppedLocate and Ramp UpBack up SupplierEmergency Buyand ShipmentsReputationMarket Share LossEFFECTSRevenueLossesand RecoveryExpensesOTHERIMPACTSForegoneIncomeEmergency ReworkandRushed FG ShipmentsRecall forQuality IssuesSudden Loss ofSupplierSupplierAttributesSituationalFactorsSupplier Risk Model – Elements of Vendor Risk and Consequences of Failure
  7. 7. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier Risk Model – Vendor Risk StrategyInput TechniquesOutput• Business Strategy• Sourcing Playbook• Value Drivers• Organization Process• Definition of RiskManagement objectives• Determine risk appetitetolerance• Define vendor riskprocess• Perform Risk analysis onseven components:- Financial- Operational- Strategic- Environmental- Regulatory- Foreign Corrupt• Benchmark results• Alternatives• Interviews• Questionnaires• IT Risk Management tools• Checklists• Assumption Analysis• SWOT templates• Modeling / Diagrams• Contingency responsestrategies• Ranked risk profile• Vendor risk strategy• Vendor risk register• SLA / KPI /• Contract language• Vendor specific risk policies• Risk Governance• Tailored scorecards• Risk acceptance / sign offRisk 4Risk 1Risk 2ImpactProbabilityL HRisk 5Risk 6Risk 3Specificvendormanagementapproachbased onsegmentationand riskweighingScorecardOnboarding
  8. 8. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comAn Op Risk Management FrameworkObjective is to reduce ultimate risk exposure by detecting,managing and mitigating the original risk levelsSupplier Risk Risk ObjectivesInitial RiskExposureUp-frontProtectionActivityMitigationTrigerred byVRMManagementTarget LevelOf StrategicVendor RiskExposureUp-front Risk Identification: focus is onuncovering critical vulnerabilities andsegmenting these to determine appropriateMitigation strategiesUp-front Risk Identification: focus is onmitigation triggered by VRM vendor riskmitigation strategies and processesThe VRM / VMO will lower vendor risk exposureBy effective and proactive identification and riskmitigation strategies and monitoring processesThe VRM / VMO organization has an opportunityto significanly reduce risk exposures
  9. 9. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comAn Op Risk Management FrameworkVendor Riskand ControlSelf Assessments(RCSA)StrategyBusinessInitiativesRisk MeasurementBusinessContinuityStrategyVendor Risk GovernanceVision, Guiding Principles, Risk Strategy, Risk Appetite,Organization Structure, Risk GlossaryKey RiskIndicators(KRIs)Vendor Risk MonitoringVendor Risk Identification& Assessment•Common OrganizationalHierarchy•Common Risk Definitions•Common Control Themes•Key Process Focus•Validating ComponentsRisk ReportingSupplier Risk Model –Risk Management Process
  10. 10. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comFor strategic vendors, an additional risk filtering processProposedVRM Risk FilteringRiskFiltersRisk 1312123Risks are filtered for identification and categorizationRisks are measured according to businessimpact and possibility of occurrenceResults of aggregate risk, measurement determinecontract and vendor engagement modelRisk 4Risk 1Risk 2Specificvendormanagementapproachbased onsegmentationand riskweighingScorecardVendorSegmentationImpactProbabilityHLL HRisk 5Risk 6Risk 3Change MgmtVRM GovernanceProcessesStrategic CommodityOperationalPerformance& ManagementFocusGovernance& ControlFocusProblem Mgmt.Change Mgmt.Delivery Mgmt.Risk Mgmt.Financial Mgmt.Contract Mgmt.Relationship Mgmt.High RiskChange MgmtVRM GovernanceProcessesStrategic CommodityCommodityOperationalOperationalPerformance& ManagementFocusGovernance& ControlFocusProblem Mgmt.Change Mgmt.Delivery Mgmt.Risk Mgmt.Financial Mgmt.Contract Mgmt.Relationship Mgmt.High RiskVRM Management ProcessRisk 2 Risk 3 Risk 4 Risk 5 Risk 6•Contract Renewal•Contract Extension•New ContractRisk 1Risk 2Risk 3Risk 4Risk 5Risk 6EnvironmentalForeign CorruptRisk filteringVRM Risk FilteringAfter segmentation Leading to tailored VRMprocesses – scorecards weightedto risk mitigation, specific onboardingactivities and innovation managementStrategicmandatoryOperationalFinancialRegulatoryoperationalcommoditystrategicOnboardingSegmentationToolStrategic vendors,specially selected Operationalvendors and all ITO/BPO will beadditionally risk profiled andrank profiledTailored ProcessesAfter filtering, scores willbe matrixed,…
  11. 11. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier Risk Model – Vendor Risk CategoriesVRM Risk FilteringReputation impactAssesses Transition Risk while onboarding a newservice provider. These risks may include poorly defined/Documented processes being transferred, lack ofco-operation fromthe terminating service provider, the need to transferinstitutional memory and transfer knowledge, loss ofknowledgeable Company staff during transition,The overall financial stability of the service provider isassessed by a Financial Stability analysis.This helps to determine whether the service providerwill remain solvent, invest in technology and newservices to maintain competitive and has the financialresources to provide services at the desired serviceslevels for the duration of the contract.RiskFiltersRisk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6Risk 1Risk 2Risk 3Risk 4Risk 5Risk 6EnvironmentalForeign CorruptStrategicOperationalFinancialRegulatory“Green”, Recycling, Environmental impactRegul;atory compliance assessment helps to determinethe compliance with regulatory edicts and events thatwill disrupt services that are delivered by the serviceprovider Risk 4Risk 1Risk 2Impact ProbabilityHLL HRisk 5Risk 6Risk 3Establish thecontextIdentifyRisksAnalyzeRisksPlan forRisksSegmentriskControl
  12. 12. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comRisk MeasurementRisk AssessmentRisk MitigationRisk MonitoringStage 1:QUALITATIVEASSESSMENTIdentification, Prioritizationand Assessment of VendorRiskStage 2:RISKMONITORINGMonitoring of Risk and ProcessIndicators to TrackOperational Risk Level, ModifyRisk Profile and ImproveBusiness ProcessesRisk IdentificationRisk AssessmentRisk MitigationRisk MonitoringRisk IdentificationRisk AssessmentRisk MitigationStage 3:QUANTITATIVEVALIDATIONIdentification and Measurement ofOperational Risk Events, includingNear MissesSupplier Risk Model –Risk Management ProcessContract Life CycleRisk IdentificationRiskFiltersRisk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6Risk 1Risk 2Risk 3Risk 4Risk 5Risk 6EnvironmentalForeign CorruptStrategicOperationalFinancialRegulatoryRiskFiltersRisk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6Risk 1Risk 2Risk 3Risk 4Risk 5Risk 6EnvironmentalForeign CorruptStrategicOperationalFinancialRegulatory
  13. 13. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier Risk Model –Risk ResponseAwareness Prevention Remediation Knowledge• Probability andImpact• Recognition ofeffects of risk on:- service levels- brand and reputation- service levels- consumer perception- vendor viability• Awareness on internal,external and regulatoryenvironment• Goal is to recognize,reduce or mitigate thelikelihood of servicedisruptions, brand andreputation tarnishmentand comply withregulatory issues• Key processes include:- risk assessment- risk identification- risk segmentation- risk management- risk monitoring- change management- scorecarding- onboarding• Goal is to identifyprocedures formanaging 4 stages ofdisruption- interruption- response- recovery- restoration of service• minimize or eliminateimpact on:- services- brand- reputation- business impact- time- cost / revenue- resources• Determine mostappropriate focus level• Goal is to learn fromexperience and tohold vendorsaccountable for theconsequences of theiractions• Modify standardprocedures resultantfrom lessons learned• Establish a basis ofvendor interaction• Formalized activity•
  14. 14. Hans van Eck-Casteels // +1.416.931.5241 // hcsv@rogers.comSupplier Risk Model – Stakeholder Risk Change ManagementInput• Detect disruptions andestimate impact onservice performanceProcess• Identify and categorizedisruptions• Record risk in riskdatabase• Update scorecard• Liaise with LOBOutput• Scorecard• SLA alignment• Root Cause Analysis• Change management• Issue closure documentCaptureInput• Communicate disruptionimpactProcess• VRM identifies disruption• Distribute reports anddocuments from“capture” to “closure”• LOB / Vendor / VRMmeetings• If process change,documentOutput• Review action points• Follow upInput• Review immediatecauses and identifyroot cause• LOB / vendor / VRMProcess• Identify alternativesolutions• Select best alternative• Delegate assignmentOutput• Scorecard• SLA alignment• Discount capture• Root Cause Analysis• Change management• Issue closure documentCommunicate Collaborate