Driving integrity into the supply chain | Report and optimise

December 4, 2019

In earlier articles, we explored how setting integrity expectations with your suppliers can be an effective tool for promoting compliance, and how trusting and verifying that your partners ‘walk the talk’ is a necessary step for reducing risk in the supply chain. We talked about setting the scope of your supply chain integrity programme, and the tools that can be used to provide a reasonable level of risk-based and consistent oversight.

In this article, we will explore how organisations can report and optimise their programmes using metrics, stats and KPIs to measure the efficacy of their supply chain programmes.

Why programme reporting is important

Having a supply chain programme to simply meet regulatory or legal requirements may not help you identify and effectively manage risks created by suppliers, yet organisations often miss the value and significance of programme reporting, while others are simply not aware of the crucial role optimisation plays in managing supply chain risks.

Modern supply chains can be quite extensive, in terms of the volume of suppliers and the complexity of managing them in a global business environment. An effective programme should be designed to maximise the value of constrained resources, which is why it is essential to leverage the data to drive better outcomes.

Ultimately, the point of your supply chain integrity programme is to collect information about current and potential partners, to help you make better business decisions.

That is why it is important to have a reporting and optimisation system within your supply chain programme. Lack of such a process can lead to financial loss, reputational damage and misapplication of your budget or available resources by targeting non-priority risk areas.

Programme reporting is central in managing supply chain risks because it externally demonstrates the organisation’s commitment towards driving integrity in the supply chain, while it internally uncovers the programme’s efficiencies and failures.

While not all inclusive, the below list discusses some of the benefits of programme reporting.

  • Improves visibility

If no one knows how much value your programme brings to the organisation, is that going to help you find champions to support ongoing improvements? Visibility into relevant metrics is the best way to demonstrate the value of a supply chain integrity programme to stakeholders and leadership.

  • Justifies programme budgets

If the organisation’s leadership does not understand how what you are doing adds tremendous value (besides just from a financial and ‘doing the right thing’ perspective), it will be hard to get the budget you need to continue oversight of your supply chain. Developing good cost metrics and backing those metrics with demonstrated measures of risks will bring context and a clear understanding of budget requests.

  • Encourages better decisions

Insights and understanding can help us make better decisions; opinions, on the other hand, can lead to poor decisions. Having the metrics to demonstrate the true risks allows for better decisions about accepting, declining or mitigating each risk. Understanding the metrics will help you stack your supply chain with better business partners.

  • Supports programme optimisation

Through reporting, certain flaws may emerge that can only be identified through the development of baseline and performance trends. For instance, without effective reporting, you may continue to engage suppliers that don’t subscribe to your values, or you could be wasting time and resources monitoring suppliers that don’t require it because the region they are located in is highly regulated or low risk. Reporting and optimising your supply chain programme promotes completeness and better utilisation of resources by making sure that risks are properly addressed based on the impact they pose on you, while neglecting reporting and optimisation can leave loopholes in the programme and lead to various integrity risks.

Programme reporting can also help:

  • demonstrate your commitment to integrity and compliance
  • highlight the programme value and return on investment to the business and key decisionmakers
  • provide evidence that your suppliers are ‘walking the talk’ and following programme requirements
  • create a baseline for assessing trends and pattern consistence
  • ensure proper controls
  • promote a culture of supplier integrity
  • prioritise your resources to areas that may cause you the biggest impact as a result of risks created by your suppliers.

Metrics tell a story … What story are you telling?

To effectively report and optimise your supplier programme, you need some key indicators to help you understand where inefficiencies are observed so you can take practical action like offboarding bad suppliers. Some of those key indicators are metrics, but metrics alone are meaningless unless they are able to tell a story. That story should prompt action to optimise your programme.

Like Canadian philosopher Marshall McLuhan said, ‘A point of view can be a dangerous luxury when substituted for insight and understanding.’ Thus, effective programme reporting and optimisation requires a set of metrics that can quantify programme strength and weaknesses without solely relying on experience or point of view.

Which metrics should you consider?

Given that metrics differ by company size, industry, country and nature of business, we don’t intend to cover all metrics that may be helpful to your programme. Instead we will cover the core areas that you may want to begin with to help create your story and allow stakeholders and leaders to see your vision and why it is important.

In the process of looking at the metrics you have captured and building your story, there are bound to be some ‘aha!’ moments that provide insights into opportunities to optimise your programme.

As a starting point, we will be addressing three general categories that are common to supply chain integrity programmes: operational metrics, risk metrics, and cost metrics.

Operational metrics

Basic operational metrics help you build a baseline for your programme that can be reviewed periodically to assess if you have the right tools and processes in place to adequately handle the job.

Example operational metrics

Baseline operational metrics can help you understand the fundamentals of your programme, which, when combined with cost- and risk-based metrics, will provide greater visibility across your supply chain integrity programme.

Below are some things you may learn from your operational metrics.

  • Geographic concentration of third parties

The cost of compliance assessments can vary widely depending on the location of the supplier, as some countries are more open and information is easier to get. Similarly, relevant risks are often dependent on where the third party is situated. Knowing where your third parties are located will play a big part in calculating overall programme KPIs.

  • Types of third parties

Which types of third parties are you dealing with? Some third party types can drive up the assessment effort, the cost of managing the relationship, and the overall risk you must manage.

  • Risk tier breakdown of third parties

It is important to understand how your supply chain network is distributed across risk tiers, as this information will be required later, when you look at cost- and risk-based metrics. Ultimately this will be a big driver in where you want to optimise your programme spend and resource efforts.

  • Volume of new onboarding and renewals

Onboarding and renewals is typically where most of the supply chain integrity programme energy is expended. This is a key metric that starts to present a picture of where efforts are being spent.

  • Comparison of onboarding time

Which sub-segments of suppliers take the most time to onboard and slow down the business? Onboarding times is an excellent area to look at for programme optimisation opportunities.

Risk profile metrics

Risk profile metrics covers initial third party risk profiling and things discovered during your onboarding risk assessment. These data points provide you with a holistic integrity risk profile for your supply chain and can help you answer the question we always hear: ‘What’s your risk appetite?’. How would you know how to answer that if you couldn’t quantify the level of risk you are accepting now? Once you do know, you can say, ‘Less than I currently have’, or maybe ‘It’s more than my current programme allows’.

Example risk profile metrics

Risk profile metrics help organisations identify and track risks that may exist within their supply chains.

Below are some things you may learn from your risk profile metrics.

  • Assumed versus assessed risk score

This can help you identify areas where your risk matrix could be improved. If you notice that a particular third party type has a significant gap between assumed and assessed risk, you may want to ensure that any risk factors are properly weighed, which would give you a better insight upfront as to that type of third party.

  • Risk-tier ratio across dimensions

By understanding the risk-tier ratio (for example 3 percent high, 15 percent medium and 82 percent low) you can start to develop your risk profile. Knowing where ratios change (for example by country of business, third party type or industry) will allow you to predict which sub-segments require additional analysis and possibly process changes.

  • Risk area analysis

By looking at the risk profile metrics, you will be able to get a picture of integrity risks that may not be at the top of your priority list but are inherent to parts or all of your supply chain. This may not mean that you should refocus your programme, but it could be an indicator of opportunities for review to determine the impact such a risk would have on your organisation.

  • Risk event analysis

This is where you can see where risk events actually occurred versus where your risk modelling predicted they would occur. This can help you detect patterns of actual issues against sub-segments of your third parties, leading to opportunities to modify your upfront assessment activities and proactively tease out which third parties may cause trouble down the road.

Cost-based metrics

Costs can be the hardest metrics to obtain without doing an analysis of all programme activities, resources, tools and so forth. However, when it comes time to submitting your annual budgets, identifying costs and the more elusive revenue figures for your programme will justify the plan you are proposing.

Example cost-based metrics

Below are some things you may learn from your cost-based metrics.

  • Where to optimise spend

By looking at where your compliance spend is going, it becomes easy to see where your budgets should be focused. There is always a balance between oversight spend on areas where risks are low or unlikely and high-risk areas that could impact the company’s bottom line. Using cost and risk metrics will help with the decision process for optimising your programme.

  • The true cost of risk events

Determining the true cost of risk events, large and small, can be tricky. Each event can vary in its nature and in the scope of resources involved to investigate and mitigate the problem presented, so it is likely you will need to identify actual costs, like investigation, legal expense and communications. Where possible, the reputational cost to your brand should also be considered.

  • The hidden cost of poor supplier decisions

Probably the hardest cost to assess is the overall cost of making a poor decision to do business with a bad supplier. Every organisation will have unique factors that go into calculating the cost of poor supplier decisions. We would recommend a periodic review of third parties who have been off-boarded to assess programme and downstream operational impacts.

Programme optimisation

Different functions within your organisation are always competing for resources, budget and leadership buy-in. As the compliance or procurement function, you need to make the best and most effective use of whatever budget, resources and time the business allocates.

The various metrics listed earlier can help justify the value and necessity of a supply chain programme to the business. For example, an increase in the number of incidents being reported by your suppliers is evidence that your programme is effective as your suppliers are open to transparency and willing to report any wrongdoing before impact. However, a static number of issues being reported by your suppliers may mean that your programme requires reviewing, because this could suggest that your suppliers are either not aware of your processes or are hiding issues that may expose you to integrity risks and reputational damage.

It’s advisable to use your resources and time to address issues that have a direct impact and higher costs on your organisation and brand. However, this shouldn’t stop you from paying attention to other risks. If your suppliers are in manufacturing, your risk exposure is higher for environmental mismanagement, modern slavery and human rights abuses than for personal data breaches, money laundering or terrorism financing. Your top priority must be channelled towards those high-risk areas, while also maintaining a very close oversight on other risks. Risk prioritisation is very important because it tells you where your energies must be directed.

Think like a CEO; think revenue!

In closing, we have some final thoughts about how a supply chain integrity programme can begin to build traction and win greater support. It’s something we call ‘Think like a CEO metrics’. The primary goal of business is to make money and increase shareholder value. One undisputed measure of this success is revenue generation.

Supply chain compliance has historically been viewed as an overall cost to the business. As organisations struggle to contain costs in increasingly-competitive environments, it is easy to focus your story around cost savings; however, the ability to tell a story about how compliance can help increase revenue is a much more compelling story for your CEO and company leadership.

Two areas of revenue metrics that are ripe for study are opportunity response and market expansion.

Opportunity response is pretty straightforward: implementing a programme that allows the organisation to quickly capitalise on new opportunities. This may include fast tracking good decisions on suppliers that are needed to develop new products and services.

Revenue expansion looks at the opportunity that effective supply chain integrity can bring by opening up new markets that may otherwise be difficult to get into. Many governments and large multinational companies are mandating that their partners demonstrate effective compliance and integrity programmes throughout their business operations and supply chain networks. Organisations are turning to certification programmes like ISO 37001 to demonstrate their integrity programmes and open up revenue opportunities that otherwise would not exist.


Additional research must be done on revenue metrics for your supply chain integrity programme to help develop a revenue-based framework from which to tell your integrity programme story. If you have examples of how you have built revenue-based programme metrics, tell us what you are doing by emailing us at the contact details below.


Reporting on your supply chain integrity programme should be approached strategically. The metrics you initially choose should be designed to provide insights into the key business objectives of the programme. As data is collected over time, it will establish a good baseline for where you are at, and begin to highlight trending patterns that may require greater analysis and gradual corrective action. Having a baseline can also act as a source for identifying sudden changes in a metric, which could indicate a variation in your risk patterns that must be addressed.

Keep in mind the goals of programme reporting: ensuring consistency in your business processes and highlighting areas where optimisations can be made. The combination of operational, risk-profile and cost metrics will give you visibility into the overall risk you are accepting throughout the process of integrity oversight, while ensuring that hidden costs do not impact your team’s ability to manage and mitigate potential issues. Prioritise development of metrics to align with your programme objectives.

Finally, create the story that you want to tell about your supply chain integrity programme and develop metrics that will help you tell that story. We discussed how cost-conscious organisations may focus more on the cost to maintain an acceptable risk level, whereas an organisation that has a low risk tolerance may need to focus their metrics and reporting on how their efforts are succeeding at bringing risk down. Understand that the story you want to tell will change over time as business priorities and current events within your programme dictate. Become comfortable with developing an ever-widening range of metrics and reporting to gain visibility into the effectiveness of your programme.

Explore how our products and services can help you manage risks and compliance. Visit at www.redflaggroup.com or email us at info@redflaggroup.com if you have any enquiries.

Previous Article
Webinar: Taking a systems-based approach to due diligence
Webinar: Taking a systems-based approach to due diligence

Creating information workflows, instead of silos of data, by integrating due diligence into your business p...

Next Whitepaper
2019 Reputational Risk Study
2019 Reputational Risk Study

Examine current trends along with best practices, so you can acknowledge your compliance gaps to avoid inte...

Want to receive exclusive updates?