Supply Chain Risk Management
RAJITA NAIR, June 2020
What is SCRM?
Supply Chain Risk Management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.”
Supply Chain Management is an essential part of vendor governance, and involves the entire life cycle from procuring the raw materials required for a product until it reaches the consumer. Supply chain management consists of identifying the vendors involved in producing a finished product and the risk these vendors pose to the entire chain. While sourcing, contract management, and supplier management are some of the critical elements of SCM, in this article, I will focus on vendor risk management.
A supplier’s risk to the supply chain cannot be conducted in isolation but needs to be conducted along with cyber risk, financial, reputational, legal, risks. For example, a supplier with weak cyber operational controls will pose a significant risk for the entire chain. Supplier management needs to be meticulous, thorough, data-driven, and also include a list of back up suppliers to minimize the impact in the event of a disruption.
Today, almost all organizations rely on hundreds if not thousands of suppliers across all areas to function. In many cases, the overwhelming volume of suppliers and the massive load of data associated with them, are some of the reasons for organizations to defer looking into starting the process of supplier management.
At ComplyScore, as a vendor risk management company, we have helped multiple companies reduce their supplier risk by implementing industry best practices. I have listed a few of them below.
1. Information- The more information you have, the better!
Have a complete inventory of all the suppliers your organization uses. Do not just focus on your tier 1 suppliers. You need to have details on your tier 2&3 too. Also, have a backup list of suppliers you can use in case of a disruption of service from your current supplier. Not having a list as well as a backup list puts you at a disadvantage from the get-go
First, assess the “impact” of the vendor across multiple areas. These areas are:
a. Financial Impact
What will be the monetary impact on your business if the supplier is unable to deliver due to any reason? E.g., Bankruptcy?
b. Operations impact
Will a delay/disruption from a particular vendor affect your production directly and indirectly?
c. Legal Impact
Will, there be a legal impact, and how much will it be a lawsuit if the supplier does not comply with regulations?
d. Information Security impactDoes business with a particular supplier put your security posture at risk?
e. Reputation impact
Will, the goodwill and reputation of your organization, be impacted by doing business with the supplier
f. Assess the sensitivity of the supplier‘s failures across internal & external factors:
Examples of external factors include
Liquidity – A highly leveraged supplier will be very sensitive to liquidity ,Geographical disruption – Social, political or vironmental disturbances
Examples of internal factors include
Compliance culture, Process maturity, Meticulously designed supplier risk assessments are needed to adequately assess the risk and its impact on your organization’s security posture.
3. Putting it together –
- Create risk appetite policies
- Establish inherent risk scoring of the suppliers
- Establish sensitivity of the supplier to external factors which predict the risk of failure
- Create a heat map of Likelihood and Impact of failure
- Establish mitigation strategies for each quadrant
4. Monitor the risk
a. Monitor the supplier‘s metrics
- Establish proxy indicators & metrics. For example, delivery performance is an excellent measure of capacity & process maturity.
- Correlation between these metrics (additional below) and the supplier risk are critical to managing risk proactively. Continuous monitoring of the vendor will alert you at the very beginning of disruption.
Having a third party vendor risk management software will help you monitor the risk factors on an on-going basis.
b. Monitor the external factors
- tools like Risk Pulse, Resilience 360, Stat Weather will help your staff to take precautionary actions. Similarly, tools like Geoquant will keep you informed on the political situations around the world. This is particularly helpful as in today’s world, a single organization runs on the materials and help coming from all over the world.
- Based on which factors are turning red, activate the mitigation plan. While the overall plan seems broad, creating the quadrants help focus on areas of high impact and high likelihood. Service providers like Complyscore will help you put these risks together.