CPO Agenda Supply Chain Risk and Corporate Reputation
1. ROUNDTABLE: REPUTATION
HOW CAN MANAGING SUPPLY
CHAINS MITIGATE RISKS TO
CORPORATE REPUTATION?
In our latest roundtable debate, senior buyers discuss
procurement and risk, and ask how their companies
and organisations manage corporate reputation.
The event was sponsored by Achilles
48 CPO AGENDA | AUTUMN 2012 www.cpoagenda.com
Roundtable.48-53.1.cr.indd 48 12/09/2012 12:18
2. THE PANEL
Participants:
(clockwise from left)
Ian Campbell, business
development manager,
Achilles
Gary Hills, head of capital
development, BBC
Sue Ferm, supply
management director, Atkins
Jean Olivier Billes, regional
procurement director,
SunGard
Rebecca Ellinor (chair),
managing editor, Supply
Management
Dan Quinn, new sector
development director,
Achilles
Kirsty Bower, head of
procurement, Affinity Sutton
Nick Brazier, CPO, BNP
Paribas UK
(centre) Tim Astley,
regional practice leader,
strategic risk and business
resilience, Zurich
Rebecca Ellinor (RE): Are organisations could impact on reputation is rarely under- is there an assessment of what process is in
yet connecting risk and reputation? stood. Some sectors understand this better place and what audit trail you have.
than others and unfortunately some won’t
Jean Olivier Billes (JB): Not enough. They get it until they have their own public and Nick Brazier (NB): As an investment bank,
might do it through a marketing department, expensive problems. we have a keen eye on reputation, certainly
or other department, in order to improve over the past few years. We have started to try
their reputation, but I don’t think they use Ian Campbell (IC): Everybody makes the and turn it into something that we can track
procurement much on this. Most of the time, link between reputation and risk. However, and measure and we can take action against
targets cost savings and they are more short- it is about early identification – knowing those warning signs. It is becoming more of
term, whereas when your reputation is where risk is going to come from and for a process, more of a governance factor.
affected, it can be a problem in the long term. each category of corporate policy.
Tim Astley (TA): The key thing is to
RE: Do you have to educate people? Gary Hills (GH): It is a constant thought – recognise reputation as one consequence of
reputation risk – in the BBC. It is always risk. Procurement clearly has a central func-
Kirsty Bower (KB): It is 50-50. They do get there for slightly different reasons. It doesn’t tion in supply chain and value chain
it when it affects them directly. For example, affect our share price, but being publicly evaluation, but businesses should be taking
they understand we need to attract the best accountable there are plenty of organisa- an holistic view to try and evaluate the
companies to come and do our construction. tions out there ready to pick up anything that risk. It is there in different guises in
They don’t get the other end of it, that if happens and publish it to the public. different organisations.
you breach EU Regulations that can
affect reputation. Sue Ferm (SF): There is an understanding RE: Are you saying that procurement
that there is a reputational risk, but is the might well have its own process to try to
Dan Quinn (DQ): The role procurement can connection to the procurement and supply protect itself against risk to reputation,
have in identifying and managing risks that chain made? Only when something happens but the other parts of the organisation
www.cpoagenda.com AUTUMN 2012 | CPO AGENDA 49
Roundtable.48-53.1.cr.indd 49 12/09/2012 12:18
3. then you can pull them in, but we can’t be the developed we then see three levels of risk:
leading light for every area of the business. one is the broad environment – the generic
exposures that a company might be exposed
RE: Are others finding procurement is to, for example flood zones. Then it is opera-
leading on this area? tional issues – what is the supplier’s
performance? Then it is about looking at the
NB: Yes, part of it is picked up by corporate supplier’s own environment – what are the
communications to make sure. But they relationships like?
don’t have an eye across the business as to
what is going on every day. JB: It is even more complex now. You have to
understand the supply chain of your sup-
TA: The main custodians of reputation are plier, of other partners if they are in another
the board of directors. Where we have seen part of the world, or another region. There
traction on the importance of supply chain are different regulations, different situations
risk, it has been driven from the board. to deal with.
don’t have it and then there is only so
much procurement can do on its own? DQ: I am sure if some of the automotive or GH: You can structure that as much as you
tech companies impacted by the Japanese or like to specific areas of risk. That takes in
TA: Yes. If you do take an isolated perspective, Thai disasters had predicted some of the finance, health and safety performance and
you run the risk of running into operational risks of having a manufacturing cluster in an lots of other things there. You give them
imperatives, like procurement – cost, qual- area that is likely to be flooded or have earth- weighted scores and have a panel to score
ity, delivery – to the exclusion of some of the quakes, they would have been more responses and moderate answers. You allo-
broader risks and issues that an enterprise motivated to invest in managing it. cate sections out to specific people or subject
might be exposed to. It is only when you take matter experts. Then they moderate
those issues together and the perspective of JB: Or it could have already been coming together later on to give an overall score.
different functions that you can get a full view. from procurement, by having a back-up There might be absolute criteria that people
plan, or a dual sourcing strategy where you have to meet with regard to financials
NB: Once we start understanding what the have one vendor in this part of the world and and things like that. It all feeds into the
risks are and start having processes, we only another one somewhere else. reputation risk.
have to make sure the people we work with
and our stakeholders understand we need to
go through these steps, by showing them “If some of the automotive firms
what the impact would be.
impacted by the Japanese disaster
JB: It is more about educating at the top
sometimes. For example, they will build a had predicted risks, they would
reputation with the focus on quality of ser-
vices, but they will not anticipate any risks have been motivated to manage it”
to avoid any future issues.
RE: What other processes or systems do SF: We have a supply chain knowledge centre
SF: Organisations are so different in terms your organisations have in place? that we have developed in-house. It is part of
of who the process owner of risk is – group our pre-qualification process; it identifies
risk, director of a corporate risk, director or NB: We developed our own basic Excel- risk with that particular supplier or contrac-
whoever. Theoretically someone should own based measurement assessment tool, which tor. It is a standard checklist and a very
that because that is when you can get all the looks at criticality at risk on two axes. There similar panel, so we have three people who
strands of the business together. are 16 questions – simple radio buttons that look through the different elements of that
you pick from multiple selection answers pre-qual process. It would record any risks
NB: We are starting to co-ordinate more with and it rates a vendor, plots them on a graph – red and amber risks are highlighted on the
other teams that in their own way have also and tells you whether they are high, medium portal effectively. Evaluation will be done as
had to start looking at this: BCM, or IT secu- or low risk. If it is high risk you might put an a subset of that.
rity, for example. Because they have their action plan in place to mitigate the risk you A lot of our suppliers will have to do the
own processes, we are starting to build them have identified and that is a very high level same approval process for everybody they
into our central process as we are looking at view of what we have done. work for in a different guise, so we all create
vendors. Where other areas of the business a different version. We have talked about a
are already developed and are quite mature TA: Once the critical risks have been standard model [within the industry] that
50 CPO AGENDA | AUTUMN 2012 www.cpoagenda.com
Roundtable.48-53.1.cr.indd 50 12/09/2012 12:19
4. ROUNDTABLE: REPUTATION
we all aim for that would give us the perspec- cases – and their consequences – that never going to find out – it is about the
tive on a plate, so we are all working on the happened in the same sector and industry. private companies and trying to get the
same information. financial information. Is that a key part of
TA: Our actuaries like to see real data in your risk management strategies?
DQ: Achilles has an approach to looking order to price the risk. We found there wasn’t
across the whole sector. Suppliers collabo- any coherent data out there, so we set up our NB: Yes. Some of our vendors might be stra-
rate in non-competitive areas to make the own supply chain loss event database, which tegic by nature because they are the only
whole process much more efficient for both goes back 10 years, and codifies loss events provider of some software or whatever. They
buyers and suppliers. In effect, they are cre- by sector, loss type and region. It covers all are a partner, whether you want them to be
ating sector-wide standards and consistency, issues that give rise to a supply disruption. or not and you need to be working very
which facilitates the prequalification of closely with them to make sure you are
suppliers across the entire sector. NB: The other driver can be legislation, of always aligned. You can’t be surprised by
course, in terms of how vendors are treated anything with some of these vendors because
RE: Do you make it part of the risk analysis by large organisations. it would immediately have a serious impact
of your suppliers that the onus is on them on operation.
to look at the risk of their suppliers? RE: Kirsty, as a small organisation do you
find it easier to be connected to all of TA: The challenge is when you have a sup-
NB: Historically that is how we have done it: these other parts of the business and to plier that is strategic to you, you look at how
relied on the vendor and put things in the see where the risks might occur? important you are to them, and it may be
contract and SLAs, but increasingly we are very different. That is another issue that
not happy with that. The onus still needs to KB: In terms of the front-end of the procure- needs to be addressed. If you know you are
be on the tier one vendor, but we need to be ment process, if we are leading a new number 20 in their list of priorities then that
getting more information more regularly. contract it is easy for us to pull in all the right tells you something about how they will
people, to make sure we have the risk. We respond in the event of a supply shortage.
GH: We have changed our approach to some struggle with the back end as the contracts
contracts, whereby we demand certain areas go to the operational departments. KB: We brand ourselves as one of the top 10
are self-delivered so you have that bit more We have our audit director and the audit housing associations, but if you take it out to
control over risks there and are able to audit. team measures the risk register. We have a the wider world, we are tiny. The mentality
risk board. Each year our internal auditors of the staff is that they expect suppliers to fall
RE: Is it easier to get firms to make a will look at all the contracts they have, and at our feet. We have put a simply policy in
change when something goes wrong? each time we hand the contract over, we place and said nobody in the business can
make sure that we not just train the contract meet a supplier unless they have gone
NB: Over the past few years in procurement manager, but anyone else who that contract through a commercial awareness training,
we have been honing our skills and processes will have an impact on during its life. so at least they know what they can say and
to at least start to take more of a governance- A lot of the risk management comes out what they can’t say.
based approach to risk. When something about the day-to-day relationship you have
happens, you get a sudden step change and with the guy on the other side of the table. GH: We have the strategic relations board
you leap forward a couple of years’ worth of (STAR) for the major contracts. You have the
organic development in a few months. RE: If you don’t have that relationship with main board, driven by procurement, but you
those suppliers there are things you are have to produce an annual report on the
GH: Sometimes you do have to wait for an
incident. If we put proposals forward that
are not accepted by the board, you have to
highlight the risk and then it is a decision on
the likelihood which may then be out of your
hands as to whether the business accepts it.
TA: A risk manager will try to get them to do
things to stop things happening in the future,
rather than waiting for them to happen.
RE: Any tips on how you make that argu-
ment to the board, to get them to invest?
JB: One solution could be to present some
www.cpoagenda.com AUTUMN 2012 | CPO AGENDA 51
Roundtable.48-53.1.cr.indd 51 12/09/2012 12:19
5. ROUNDTABLE: REPUTATION
and it was a massive inconvenience,
these customers remembered that this
company had handed out mobiles and
dealt with it.
DQ: High impact, low probability, “black
swan” events will occur. Catastrophes will
occur. Do you think organisations can still
get away with the excuse of “It is a low
probability so we didn’t manage it”?
GH: If you recognise it. As long as you
have an audited trail of the decisions made
and why.
suppliers that are within the STAR contracts. GH: We are looking at the contracts now TA: It’s a good point about the planning
There is also a six-month health check, so saying: “Shall we deliver this in-house issue and how far down the probability
you have to report on the risks that you think because we are not transferring the risk, but curve you go; it is like trying to second guess
exist and report up. we are paying a premium for it?” Just look- every event that is going to happen. We were
ing at whether risk transfer is really asked after the Iceland volcano: “Does that
NB: If we have a high risk we will put an achievable. I definitely don’t think it is mean I now have to study all of the
action plan in place, but rather than just with reputation. Northwest European volcanoes to under-
every two years, we might go through every stand where the next volcanic threat is?”
quarter. Then we hand the contract over. SF: We do a tiering based on spend and con- Those disrupted were dependent on
The person you are handing it to is not going tract so it is about opportunity more than Northwest European airspace to transport
to have the time to do what you think they risk. It drives how we manage the money goods. It is trying to pull away from really
are going to do, so you have to have terms and frequency reviews, and so on. specific triggers and think about generics.
structure in the contract. Otherwise you would never get it done.
RE: So how do you deal with problems
RE: How do you work out who your when disaster strikes? Have you dealt IC: What about every day risks that are very
critical suppliers are? with it swiftly or had a back-up plan? transactional, for instance, consultants
coming onsite – they are handling your data.
NB: We have done it two ways: by spend, but NB: That is where the value of your relation-
also looked across main categories and ships comes in, how close you have managed NB: For consultants, we have a very strin-
identified the vendors that are strategically to be with your vendor. gent on-boarding policy for coming into the
critical to us. business, having IT access, have access to
TA: It is not just about managing upstream, confidential information, IP related issues,
TA: We try and look at it from a value view- the impact of whatever difficulty has been confidentiality issues. In a way, because that
point – what is the impact on the output of had, but to the extent that it might impact is a tangible thing, we find it easier to con-
an organisation, whether it is reputation, the customers and the sales and marketing trol. One thing I see a lot more of which has
market share or profit – and try and work people in the organisation, having them a big reputational risk attached to it is data:
backwards from there and map the various engaged and integrating them into the pro- everything we do now takes an extra month’s
connections from a value perspective rather cess so they can be communicating with negotiation on data protection. That is a real
than an expense perspective. their customers if there are supply prob- developing area that no one has nice handy
lems to be addressed or to be recognised. clause they can just throw at a contract; eve-
RE: Are there certain things people don’t Then customers can view issues sympa- rything seems to need to be tailored around
consider a risk – because they are too thetically which can go a long way to different services and different scenarios.
often just looking at where the spend is? enhance a reputation.
We were involved with a European tele- TA: Clearly, the data issues are similar across
DQ: Undoubtedly, in many cases they are coms company that lost a network as a all sectors. Cyber risk is not a new issue, and
focusing on the core of the business to result of a fire. The first thing it did was I doubt whether it is restricted to supply
understand where things are likely to go communicate with key customers and chains. Cyber exposure – whether it is data,
wrong. But inevitably when something does handed out mobile phones because this was virus attack or systems’ interconnectedness
goes wrong it is because they are blindsided part of its plan. This was what it anticipated. – there is so much dependence upon that
by something unexpected. Even though the network was out for a week whole area of technology and connections.
52 CPO AGENDA | AUTUMN 2012 www.cpoagenda.com
Roundtable.48-53.1.cr.indd 52 12/09/2012 12:20
6. GH: It can be restrictive as well – our infor- SF: We did have a debate as to whether we GH: If we deliver projects on time and
mation security restricts possible changes should extend our process. We decided we in budget and without any disruption,
that would improve processes. There are would just test they have a process in place then the business looks to you much
areas that I have highlighted where the and go with that. It was a decision point that quicker than it would to do somebody
business has responded negatively – they said our resource is better used over here. else and it tries and carries out its own
won’t take that risk. You are preventing procurement. Make it easy and efficient
business improvement in some cases. RE: What about putting opportunity for your internal customers for them to
and risk together? Does anybody have follow your own preferred procurement
TA: This issue of inter-connectedness is examples of that, where you can attract route. Avoiding any of those risks you
now at the top of a lot of people’s agendas. better suppliers, or more customers? can then advance your own standing in
Different entities have information on sup- an organisation.
pliers at different levels of a particular JB: If you are compliant in terms of soft-
value chain, if you like, and it is just joining ware and you sell software solutions NB: If you have a good reputation as an
these dots together that, in time, will start packages, then it is good for your image, organisation, you can probably get
to give more visibility. You do come across
confidentiality issues and the ability to
share data. “If you have a good reputation as
RE: How do you go about identifying your
suppliers’ suppliers?
an organisation you can probably
SF: We ask them who they are and what
get your hands on innovative
was their process for managing their sup-
ply chain. Again, as we get further down
products before others”
the supply chain, that becomes less and
less in terms of documented processes. your customers and your reputation. It is your hands on innovative products
You just have to assess the risk based indirect – I am not sure you can measure before others.
on the limited knowledge, or limited this – but in the long term you build a
information you are given. ‘brandable’ company. TA: Apple recently has gone out and listed
its key suppliers so they are public informa-
NB: For us, if it is a sensitive process being KB: When we do the business case for any tion. I am sure one reason it has done that
outsourced, then we will want to validate. new contract we are going to procure, we is now there is a whole list of people who
Beyond that, certainly at the start of the try to understand who might be interested can freely talk about how good Apple is
contract we would validate the proposed in it, why and what type of customer we as a customer, which will enhance
– lower down the chain, the subcontrac- might be to them. Then you can start to Apple’s reputation.
tors. On some that aren’t very sensitive we understand the best way to put the con-
would put the onus on them and it would tract out there to attract the right people SF: Clients are very interested in how our
be down to them to manage and deliver and discourage the people it is not going supply chain views us. In the bid process
the service as they see fit, within the to fit with. It is almost like a reverse that we go through it is a key question that
parameters we set. contract; what are we to them? says: “How do you measure this? How do
you get feedback? What are they saying
about you?”
NB: You can’t always mitigate risk when it is
there anyway – sometimes you just have to
live with it and you have to appreciate that
sometimes. If you need something and your
business has one source of supply and they
happen to not be very solvent, you have to
live with it. You can’t have a black and white
tick box: “if you can’t tick that box you are
not coming on to the RFP” approach.
GH: Sometimes things that are that rigid
will be losing out in certain areas.
www.cpoagenda.com AUTUMN 2012 | CPO AGENDA 53
Roundtable.48-53.1.cr.indd 53 12/09/2012 12:20