To succeed in today’s global economy, businesses face intense pressure to produce and deliverbetter products and services to the market faster and more efficiently. To achieve this, they needto exchange sensitive information efficiently and extend their business processes to includepartners and suppliers across industries and geographies with diverse regulatory environments.Organizations should proactively initiate an information risk management strategy to understandand prioritize risk in a consistent and repeatable way, and then target solutions that map riskprofiles to protection levels.Sensitive information assets expose organizations to risks that can damage their reputation,compliance posture, or competitive position.Supplier risk management is an evolving discipline in operations management for manufacturers,retailers, financial services companies and government agencies where the organization is highlydependent on suppliers to achieve business objectives. Outsourcing, globalization, lean supplychain initiatives and supplier rationalization have contributed to a highly fragmented model, where controlis often several steps removed from the corporation.While these models have allowed companies to reduce overall costs and expand quickly into newmarkets, they also expose the company to the risk of a supplier suddenly going bankrupt, closingoperations or being acquired.To overcome these challenges, companies mitigate supply chain interruptions and reduce risk withstrategies and tactics that address supplier-centric risk at multiple stages in the relationship: On boarding: Bringing suppliers into the operation with registration that includes: A centralized supplier registration portal Integration of third party performance, financial data and predictive indicators into the supplier profile Monitoring for stability beyond financial data, including: Criminal and terrorists (i.e. Office of Foreign Assets Control) ties and operational performance Visibility into potential disruptions caused by geopolitical threats, acts of nature, etc. Cultivating strategic supplier relationships for the long-term: Leverage supplier scorecards for continuous improvement Establish and use benchmarks for measuring supplier performance Creating a system for collaboration and supplier development Establish control across the extended enterprise:
Create integrated supplier networks Extend performance management benchmarks to second and third tier suppliersOptimizing Supplier Risk ManagementQuestion: How can the bank optimize its vendor risk management efforts?Answer: Conducting business in a world wired for instant connection is constantly changing. It‟s complex- teeming with technology and overflowing with sensitive information. Expectations are that regulatoryenforcement for assessing risk of outsourced suppliers will increase, not decrease. The bank‟sresponsibility for developing a cost effective due-diligence process for finding and resolving high riskissues is abundantly clear.Does that mean that you need to develop a program that provides due diligence for every outsourcedsupplier or vendor of the bank? Absolutely not. The expense and low probability of success is much toohigh. However, by breaking the process into layers (triage), the bank can continually winnow down the listof suppliers to those who constitute high risk to the enterprise. Those suppliers who are „ticking time-bombs‟ are the ones that require immediate attention.For example, the first layer of process is to leverage information already captured by your vendorprocurement group which identifies the vendor‟s geography, corporate information, business process,financial reporting, existing compliance practices, and contracts. This will identify many vendors which donot provide an IT or data security risk. Many, if not most third party relationships, do not rely on access toyour confidential data and networked connections.The second layer would tap into information available through public sources. This data creates a riskprofile based on indicators for business, financial, and geographical factors of the third party. Again, suchanalysis identifies those third parties‟s that do not require the third, final and more expensive steprequiring a focused due diligence process. Probable success in tracking down the high risk supplier fromthis reduced number of suppliers and vendors then becomes substantially higher.Key Drivers of Successful Supplier Risk ManagementThe global recession proved perhaps the most challenging period ever, or at least since theGreat Depression, in terms of managing supplier risk, as companies had to find new ways toboth assess that risk and enact mitigation strategies as suppliers struggled to stay solvent.While the worst may be over, in these dynamic times supplier risk management will stayhigh on the procurement priority list, and companies need a formal process for managingthat process. Research shows that on average large companies encounter a major supplychain disruption every 4-5 years.Just this year, for example, network equipment and other high tech companies have battledshortages on very basic electronic components, leading such as Ericsson, Nokia, Alcatel-
Lucent and other firms to report pretty significant hits to revenue in Q2 and falling stockprices because they simply couldn’t deliver the goods to customers.The Boston Consulting Group (BGC) recently did a survey of procurement executives aroundpractices and processes for supplier risk management (SRM), an acronym whichunfortunately is also used for supplier relationship management. Regardless, BostonConsulting defines supplier risk management as “the use of processes andprocedures to offset any risk factors that could interrupt a suppliers ability toprovide an organization with needed raw materials, components, or other inputsor services.It says typical risk factors include: financial risks that could affect a suppliers solvency;operational risks that could affect quality, logistics or pricing; market risks related toregulatory and geopolitical events, or changes in commodity prices; major catastrophes andnatural disasters; and anything that would compromise a companys brand, intellectualproperty or proprietary processes.Writing in The Institute for Supply Management’s Inside Supply Management magazine,Boston Consulting’s Robert Tevelson, Petros Paranikas, and Byron Paul say, however,that their research showed ―the majority of companies that do have SRM practices tend tofocus only on direct, supplier-driven risks, ignoring those related to market changes,geopolitical issues and other potentially disruptive, external events.‖Of course, each company and its supply base are subject to different levels and types ofrisk, depending on the number of available suppliers in a category, where the suppliers arelocated, how generic versus customized the supplied product is, use of single versus dual ormulti-party sourcing strategies, and the way the company itself creates value and goes tomarket, among other factors.Five Levers for Supplier Risk Management SuccessBCG has identified five key factors necessary for SRM success. These five are:Engage Top-level Management: This means both that senior procurement leaders mustactively show their support for SRM within their organizations, and then also communicatethat need to the CEO and executive peers. Yet, BGC’s research showed only 45% ofrespondents discuss SRM with the organizations executive team on a quarterly basis; 20%never discuss SRM with senior management.Best-in-class companies, BGC says, set up regular SRM reviews that follow a standardformat and offer clear escalation procedures when potential problems are flagged. Theauthors make the strong point that SRM cannot be only the province of the procurementgroup – the trade-offs and level of risk tolerance must be approached cross-functionally.Segment Suppliers Based on Relative Risk: No company can manage detailed riskassessment and mitigation strategies across thousands or even hundreds of suppliers. So,procurement organizations must pick the most important suppliers to focus on, but toooften this is done by ―gut feel‖ rather than a formal categorization process.―Best-in-class companies take a more formal approach, dividing suppliers into different riskcategories based on predetermined criteria such as financial health, supply of critical
components, supplier value-add, supplier power, time to switch and industry outlook,‖ BGCsays. ―These risk assessments are refreshed at least annually, and, in some instances,every quarter. High-risk suppliers are reviewed more often, so that issues are identifiedearly and quick action can be taken.‖Not surprisingly, the authors say, more frequent risk assessment is linked to moresuccessful risk identification.Rigorously Measure and Manage Risk: Even though it has become well understood thatcompanies need to assess both the probability of a supply disruption and the level offinancial impact the disruption might cause, BGC’s research found only 40% of respondentswere satisfied that their companies could effectively quantify the likelihood and impact ofkey risks.BGC says companies need to add more ―rigor‖ to the risk assessment process, and do abetter job collecting cross-functional data that might help identify an emerging supplierproblem earlier (for example, are key personnel leaving the supplier?).Collaborate with Key Suppliers: Complex, global supply chains require higher levels ofcollaboration. So do very ―lean‖ supply chains (and who doesn’t have one of those thesedays?), where disruptions can quickly lead to operational and financial problems.The key point: ―Companies such as these must understand the risks of the entire supplychain, not just of individual suppliers. Yet few can single-handedly take on the substantialcost of managing risk across the board. Collaboration is critical,‖ the BGC consultants say.The research found few companies say that their companies actively collaborate withsuppliers to manage risk.Give Category Managers Tools and Training: As with many things, most companiesagree that supplier risk management is essential, yet the survey showed few companieseffectively educate their senior leaders and category managers on how to do it well.The research showed two-thirds of respondents reported that their companies failed toprovide even one full day of risk management training, and most expressed dissatisfactionwith current programs company training programs on the subject.Technology support tools are equally lacking, though BGC says a few companies havecomplex tools that can track the potential impact of a single event in one location — such asa tornado in Kansas — on all aspects of the supply chain.―SRM is challenging and requires a proactive, customized approach to get it right,‖ the BGCauthors conclude. ―Understanding your companys model, based on your source ofcompetitive advantage and degree of supply chain complexity, reveals critical bestpractices. These, combined with the five levers for success, can help your company stayahead of potential supplier problems.‖Third Party Risk Management and Vendor ComplianceThird Party Risk Management is rapidly growing in importance as organizations increasingly turn tooutsource providers to reduce operating costs and increase their focus on core competencies. Amid thebenefits of outsourcing, there lies a significant risk. Simply stated, liability cannot be outsourced.
Compounding this dilemma, regulators including OIG, OCC, FFIEC and others are increasing their focus onpotential third party risks. They want to see organizations proactively identifying potential risks, verifyingthat business partners, providers and their employees are compliant, monitoring for changes that mightcreate new risks or compliance gaps, and managing the investigation and remediation of incidents. TheThird Party Risk Management solution from Compliance 360 helps organizations address these criticalrequirements.With Compliance 360 Third Party Risk Management, you have a complete platform for automating theessential processes and proactively ensuring vendor compliance.Implementing Supplier Risk Management: A PhasedApproachAs a follow-up to Frank Gaibor‟s February blog post, “Improving Life Science Supplier RiskManagement Programs – Were you prepared for the volcano?”, I want to briefly discuss theimplementation of Supplier Risk Management as fully outlined in our PharmaceuticalManufacturing Magazine March 2011 article “Vital Links: Supply Risk Monitoring”.Life Science companies face an incredible range of risks in their businessenvironment and should adopt a holistic approach to assessing and monitoring keysupplier risks. Implementation of this approach can be broken down into threephases:Phase I: PrioritizationWhen establishing a supplier risk monitoring program, organizations should look to prioritizethe suppliers included in the program. If organizations tried to monitor all suppliers acrossdifferent risk areas, supply chain managers would be overburdened with the sheer volumeof information. As part of phase I, organizations should look to identify their informationrequirements and map them to the various specialized business information providers.Phase II: Continuous Monitoring and AnalysisThe changing business and regulatory landscape increasingly requires organizations toproactively identify supplier risks. To do this requires continuous monitoring of keysuppliers. To alleviate the burden of continuous assessment, there are many wellestablished risk management tools, that when applied properly, can quickly assess risksand support the development of targeted solutions.Phase III: Information Aggregation and ReportingOne of the key challenges associated with collecting large amounts of information on acontinuous basis is aggregating the information in a clear and succinct manner. Informationwill be coming in from various news sources at different times and frequency. This requires
organizations to establish processes and supporting IT infrastructures to collect andmanage supplier risk information. One innovative approach to information management isthe utilization of shared portals as a central repository of supplier information.Establishing a supplier risk monitoring program requires organizational commitment,resource investment and a change in mindset. Many organizations believe their currentapproach for auditing suppliers, with its narrow focus on compliance risk factors, is aneffective method for managing supplier risk. In reality, they are only managing a fraction ofoverall supplier risk.Organizations which adopt and implement a comprehensive supplier risk monitoringprogram will have visibility into a broad spectrum of overall supplier risk factors, not justcompliance and will ensure they are able to continuously supply patients with their lifesaving therapies.Benefits:Reducing supplier risk can: Give insight to manufacturers to create defensive and offensive strategies that turn risk into a competitive advantage. Help determine whether or not it is beneficial for a company to conduct a customer intervention and know in advance what the potential outcomes might be for an intervention. Improve competitive position in the market. Lower supplier costs. Position manufacturers to better address customer needs by addressing supplier vulnerabilities before they become apparent.
In this macroeconomic climate, whether you are a product or a services company, your keysuppliers may find demand for their own products and services falling at an alarming rate.Unknown to you, such suppliers may have become financially unhealthy. Operating in suchan environment, your business operations can be disrupted unexpectedly by the failure ofone supplier and can cause significant harm to you. As a result, procurement organizations,which have historically focused on securing products and services of the best quality at thelowest possible cost for their operations, are also being tasked with evaluating, monitoring,and managing the risk from the supply base.To ensure that they are able to consistently evaluate and manage supplier risk, procurementexecutives need very clear visibility into their spend with each of their suppliers at variouslevels of detail -- how much are they spending with each supplier, what products andservices are they buying from which supplier, what is the split of a products purchase acrossmultiple suppliers that you buy from, what regions is each supplier shipping/servicing from,what is the trend line of various operational, financial and legal risk metrics for eachsupplier, who are their suppliers, how are the various suppliers linked at different tiers, etc.Spend Analysis provides procurement executives clear visibility into answers to suchquestions.Spend analysis is the process of determining what is being spent, with whom, and for what.Such an insight is typically used to identify opportunities for cost reduction such asrationalizing supply base, increasing contract compliance, and reducing maverick spending.However, spend visibility is also critical in determining the risk from the supply base. Itprovides critical information to categorize suppliers by spend, product/service, industry andgeography, and enables procurement executives to use that information to create a short listof target suppliers. It allows the procurement organization to enrich the supplierinformation with data from external sources and internal supplier performance metrics, so aclear risk assessment of the short list of suppliers can be done and programs can be put inplace. Hence, investment in spend analysis is the starting point to a comprehensive supplyrisk management initiative.First Step in Spend Analysis is Making the Data ReadyHowever, spend analysis is not just about running analytics on top of procurement datawith your ERP system. Spend data lies within multiple systems within the company and soit needs to be aggregated to get visibility into overall spend. A suppliers name may be codeddifferently in different systems -- a common occurrence. Due to different codes used to
describe the same product/service across different systems, it is not possible to get anaggregate view into how much has been spent on that or similar items without adding acorresponding industry classification code for each item in every transaction record. Finally,relationships between suppliers are rarely identified within various systems. For example,your system may not tell you that Lab Equipment, Inc. is a subsidiary of Lab Supplies, Inc.If it did, you would realize that you have greater spend with and risk from that supplierDue to the data issues listed above, it is not possible to do an accurate and comprehensiveanalysis of spend by simply bringing data from various systems into a spreadsheet or aBusiness Intelligence system and performing the analysis. The data has to be cleansed toremove errors, normalized to ensure suppliers are represented in a consistent manner, andfinally enriched with classification data, subsidiary relationships, supplier performancedata, etc. Only then the analysis can be done on the data to yield an accurate picture of theoverall spend. Once data has been cleansed, normalized and enriched, it is now ready to beanalyzed to identify risk to a company from its supply base.For example, in one scenario we can classify suppliers by categories such as total spend,product, industry and geography. Ability to classify suppliers along these dimensions allowsa procurement executive to identify all those suppliers where they are either buying largevolumes or those suppliers where they are sole-sourcing or those suppliers providing criticalcomponents/commodities. This analysis allows them to prepare a shortlist of suppliers thatneed to be evaluated and monitored for risk. The classification also provides immediatevisibility into those suppliers who are associated with either an industry or a product groupthat increases their exposure from issues such as quality; commodity and labor shortages;price fluctuations; environmental and safety issues; and supply/demand imbalances. It alsoquickly clusters suppliers by their geographical risks such as political issues, infrastructuredifficulties, and currency fluctuations. By analyzing data along these dimensions,procurement executives are able to create a shortlist of suppliers that need to be closelymonitored.Companies that do not use the spend analysis tools end up sorting their suppliers only basedon approximate aggregate spend with them and focus their attention on the top 20% ofsuppliers that make up 80% of the spend. But, low spend suppliers can be a source ofsignificant risk as well. A cheap part in an expensive engine can cause the engine to fail.Data theft enabled by poor security practices of a small IT provider can cause irreparabledamage to a retailers brand and lead to lawsuits. Using spend analysis, procurementorganizations can do a comprehensive analysis of their supply base across multiple
dimensions such as spend, products purchased, number of other suppliers for the sameproduct, location of plants, supplier/part quality, supplier shipment performance, etc toidentify suppliers than pose risk.Theres no measurable return from a supplier risk management initiative unless the riskmaterializes and you can quantify the avoided loss. Until then, its only possible to estimatethe impact using a metric that takes the probability of the risk and the expected magnitudeof the loss. In addition, it is important to remember that even the most successful riskmanagement programs only reduce the impact of a risk, they do not eliminate it. Howeverwith a good supplier risk program, you are on your way to reducing the business risk foryour organization.With initial supplier risk evaluation, based on data from spend analysis, you can start theprocess for reducing the risk from weak suppliers within your supply base in this economicenvironment.