Supply Chain Risk Management
RAJITA NAIR, June 2020
What is SCRM?
Supply Chain Risk Management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.”
Supply Chain Management involves a product’s entire life cycle, from procuring the raw materials required for the product to the point where it reaches the consumer. Supply chain management consists of identifying the suppliers involved in producing a finished product and the risk that these suppliers might pose to the entire chain. While sourcing, contract management, and supplier management are some of the critical elements of SCRM, this article focuses on supplier risk management.
Analysis of a supplier’s risk to the supply chain cannot be conducted in isolation, but instead needs to be conducted alongside cyber, financial, reputational, and legal risks. For example, a supplier with weak cyber operational controls will pose a significant risk to the entire chain. Supplier management must be meticulous, thorough, and data-driven, and must also include a list of backup suppliers to minimize the impact in the event of a disruption.
To function today, almost all organizations rely on hundreds, if not thousands, of suppliers across all areas. In many cases, the overwhelming volume of suppliers and the massive load of data associated with them are the reasons why organizations defer starting the process of supplier management.
At ComplyScore, we have helped numerous companies reduce their supplier risk by implementing industry best practices, a few of which are listed below.
1) Information: The more information you have, the better!
Establish a complete inventory of all the suppliers your organization uses. Do not focus solely on your Tier 1 suppliers – you need to have details on your Tier 2 & 3 suppliers too. Also, have a backup list of suppliers that you can use in case of a disruption of service from your current suppliers. Not having a list or a backup list puts you at a disadvantage from the start.
2) Inherent risk on each supplier:
First, assess the “impact” of the vendor across multiple areas. These areas are:
a. Financial Impact
What will the monetary impact on your business be if the supplier is unable to deliver for any reason, e.g., bankruptcy?
b. Operations Impact
Will a delay/disruption from a particular vendor affect your production directly and indirectly?
c. Legal Impact
Will there be a legal impact, and how much will a lawsuit cost if the supplier does not comply with regulations?
d. Information Security Impact
Does business with a particular supplier put your security posture at risk?
e. Reputation Impact
Will the goodwill and reputation of your organization be impacted by doing business with the supplier?
f. Assess the sensitivity of the supplier’s failures across internal & external factors:
- Examples of external factors include:
- Liquidity – A highly leveraged supplier will be very sensitive to liquidity
- Geographical disruption – Social, political or environmental disturbances
- Examples of internal factors include:
- Compliance culture
- Process maturity
- Examples of external factors include:
3) Putting it together:
a. Create risk appetite policies
b. Establish inherent risk scoring of the suppliers
c. Establish sensitivity of the supplier to external factors that predict the risk of failure
d. Create a heat map of the Likelihood and Impact of failure
e. Establish mitigation strategies for each quadrant
4) Monitor the risk:
a. Monitor the supplier’s metrics
i. Establish proxy indicators and metrics. For example, delivery performance is an excellent measure of capacity and process maturity.
ii. Correlation between these metrics (explained below) and the supplier risk are critical to proactively managing risk. Continuous monitoring of the vendor will alert you at the very beginning of any disruption.
b. Monitor the external factors
i. Tools like RiskPulse, Resilience 360, and Stat Weather will help your staff to take precautionary actions. Similarly, tools like Geoquant will keep you up to date on political situations around the world. This is particularly helpful in today’s world, where a single organization may run on materials and help from all over the world.
ii. Based on which factors are turning red, activate the mitigation plan.
While the overall plan seems broad, creating the quadrants helps you focus on areas of high impact and high likelihood. Service providers like ComplyScore will help you put these risks together in an understandable way so you can react accordingly.