How to succeed in supply chain risk management

October 17, 2016

Supply chain risk management programmes need to be updated as the risks presented by suppliers have drastically changed in recent years. Risk areas that have not previously been considered now need to be high on the agenda for compliance and procurement professionals.

The types of risks presented by suppliers have expanded to include environmental risks, human rights, diversity, cybersecurity, intellectual property and the handling of personal information. The Red Flag Group has identified 23 risk areas across four different categories that must be considered in any risk management programme:

  • antitrust and corruption
  • employment, safety and reputation
  • cybersecurity and business stability
  • environment and governance

Every supplier poses a unique set of risks depending on the nature of their business, their location and their industry. With awareness of the connection between a supplier’s issues and their impact on the business, a risk-based approach is the best way to manage a supply chain.

The Red Flag Group recently covered this topic in a webinar hosted by director of content Christopher Sindik, compliance ambassador Tom Fox, and manager of the Firm’s Supplier Ecosystem Initiative™ Jared Connors. Here are the key takeaways from the presentation:

How to build a programme

In a poll conducted during the webinar, the majority of respondents (52 percent) voted for antitrust and corruption risks as having the greatest potential to cause reputational operational damage. While these risk areas have traditionally led to serious consequences, in terms of government fines and penalties, the webinar participants contended that these results would change if a more holistic view of supply chain risk management was taken. Additionally, the compliance department has historically focused on the operational risks of suppliers while other departments, such as procurement, view risks around business continuity as being a higher priority.


The biggest roadblock to effectively managing suppliers is not understanding the variety of risks presented and how they can negatively impact the business. The first step in adopting a risk-based approach to supply chain risk management is to identify and get to know your network of vendors and contractors. Companies might have 10,000 suppliers in their supplier database but they are actually only doing business with a small portion of them. It is important to focus on the suppliers that are actively working for the company, as conducting in-depth research on a long list of potential suppliers can be an inefficient use of resources. The basic steps of building a quality programme include:

  1. Identify
    1. What risks are in your supply chain
    2. Which suppliers represent the biggest potential for risk
  2. Collect
    1. Media reports and public filings of the target business
    2. Gather questionnaires and supporting policies and procedures
  3. Evaluate
    1. Analyse the data collected and compare against expectations
    2. Assess the potential impact on the company
    3. Assign risk levels
  4. Mitigate
    1. Document findings and keep an audit trail
    2. Communicate corrective actions to suppliers

It is essential that suppliers are involved from the beginning of the risk management process and that communication lines are open and frequently used.

After the initial assessment, the next step is to use questionnaires, reports, surveys and polls to gather information from your suppliers. This is a great opportunity time to learn whether or not compliance is visible or of importance to your suppliers. The right questions must be asked and these must be applicable to each third party in your supply chain.

After data is collected, it must be expertly examined and processed if companies are to mitigate the identified risks.

Evaluate and mitigate

Once the data has been compiled, the compliance team must analyse and aggregate the information. It is important to remember the mantra ‘trust but verify’. Information and responses should not be taken at face value; they need to be validated and substantiated.

Given the information obtained, it is then the duty of companies to formulate corrective measures to minimise liabilities that could potentially lead to enforcement action or reputational damage. It is vital that these are understood by the supplier and communicated to them so that the necessary actions can be carried out.

Communication is essential during the whole process and should be fostered early on in the risk management of supply chains. Companies are likely to get more useful and thorough data if they use a collaborative approach with suppliers where their intentions are clear. If companies try to force or threaten suppliers, it can often lead to greater push-back and less forthcoming information. Documentation and creating an audit trail should also be taken into account during the entire process to anticipate possible investigations that regulatory authorities may conduct.

Robust risk management

An effective risk management programme typically involves many different groups within a company including Procurement, Corporate Social Responsibility, Compliance, Corporate Affair, Audit and Legal. There are typically two models of risk management – centralised and decentralised – and each has its own strengths and weaknesses.


In a centralised model, the risk management programme is run and owned within a single group. This promotes consistent messaging with suppliers and allows for other departments to focus on other tasks. However, some drawbacks to this approach include internal strife over relationship ownership and suppliers feeling disconnected from the company.


With a decentralised approach, elements of the risk management programme are owned by different stakeholders within the organisation. This model promotes collaboration and benefits from the unique strengths of different functions within the company. However, suppliers can sometimes feel that they are being pulled in different directions if the messaging is not consistent, and it requires all of the relationship owners to coordinate in order to stay up-to-date on the status of the programme.


Almost half of the webinar participants confirmed that they have implemented a hybrid model for risk management that incorporates elements of both the centralised and decentralised approach. In the hybrid model, each department can make their own contributions to the supply chain risk management programme:

  • Procurement – supplier prioritisation and understanding the risks associated with specific commodities
  • Corporate affairs – understanding regulatory changes and communication with stakeholders
  • Corporate social responsibility – Code of conduct requirements and supplier engagement
  • Compliance – training, questionnaires, risk scoring and responding to reports of misconduct

In addition, having technology support the risk management programme is essential to ensuring that procedures are being properly implemented. This is because it allows for activities to be automatically monitored and coordinated between the company and supplier.

While 47 percent of webinar participants said that they did not yet have a technological solution in place to support their supply chain risk management efforts, many confirmed that they are currently reconsidering this.


Software is just one part of the supplier risk management programme. A company team with the right capabilities must use technology in a way that complements the human element of the programme – for example via communication, on-the-ground audits, or regular interactions with suppliers. Specialists need to analyse the potential impact of risks and determine the necessary mitigating actions.  Technology can remove some of the more tedious tasks of supplier risk management and allow staff to focus on the more critical elements of the programme.


It is vital that processes are proactive and predictive, so that issues do not fall through the cracks and red flags are spotted as soon as possible. The assessment of supplier risks should also not be a one-time occurrence but an ongoing process throughout the lifecycle of a supplier relationship. Companies have to evaluate suppliers against a wider scope of risks over a long period of time, and adapt to changing business processes and legal and compliance environments.

By enlisting the different skillsets of multiple departments within an organisation, a company can more effectively manage supplier risks. The risk universe is rapidly expanding and companies need to take a modern and holistic approach to supply chain risk management in order to effectively mitigate reputational risk.

Previous Article
Identify and manage compliance issues using email sweeps
Identify and manage compliance issues using email sweeps

Many companies find that they experience the same type of compliance issues over and over again. Most compa...

Next Article
SCCE Compliance & Ethics Institute wrap up
SCCE Compliance & Ethics Institute wrap up

The Red Flag Group was out in force at the 15th annual SCCE Compliance & Ethics Institute (CEI) this past w...