Is your supply chain risk management programme just a one-trick pony?

May 2, 2017

Have you looked back at how much time and money has been spent by your organisation chasing the ‘risk of the month’?

Most organisations have some form of supplier risk assessment or risk review process. You may be in the process of examining or building your programme now. But ask yourself, how much of that programme is built around a single regulation or handful of issues noted in your code of conduct?

I get it — a customer or new requirement was introduced in a country or region and you were forced to react. The engagement was complex, the value was apparent and the customer was happy. But the consequence is that you’re not looking behind you for what could trip you up next. You might be knocking this one requirement out of the park, but how much could focusing on that single issue cost your organisation? How far and wide does your supply chain risk management programme examine problems for your business?

Here are a few questions to ask yourself regarding the breadth and depth of your supply chain risk management programme:

  1. How much of your resource is focused on the data collection efforts for a single reporting obligation?
  2. Does your organisation tend to react to risk issues as they are revealed?
  3. Are you falling short on meeting all of your regulatory reporting obligations, customer commitments and code of conduct expectations?
  4. Does your organisation focus too much on hot-topic risks and short-lived regulations?

If you answered yes to any of these questions, you may want to think about refocusing your supply chain risk management programme to support your organisation against a broader and more consistent set of risk issues.

Supplier risk management is not a new concept. What’s new and gaining attention in the marketplace are the types of risk, the ways these risks can affect an organisation, and processes by which you manage and mitigate risk. Singularly focused risk assessments fail to take into account other integrity and reputational issues that might arise from the supply chain. Companies should approach risk assessments with a much broader view to identify risk signals ahead of time and gain greater visibility into the practices of suppliers.

Programmes must be more broadly focused than chasing down the requirements of a single regulation or customer request. In many cases, it’s a risk versus reward strategy. Low-cost-country sourcing and supply chain outsourcing can lead to bigger margins. But without proper controls, these supplier rationalisation programmes can lead to an increase in manufacturers’ exposure and vulnerability to the risk of supply chain disruptions.

Let’s examine how to properly build a holistic programme or improve an existing one that avoids the pitfall of a singular focus. The risk assessment is a crucial first step in building a broader supplier risk management programme that not only looks more broadly at risk but encompass the entire supplier life cycle and sourcing process.

Four steps to building a best-in-class supply chain risk management programme that looks more broadly at risks facing your organisation:

  1. Identify
    1. What risks are in your supply chain
    2. Which suppliers present the biggest potential for risk
  2. Collect
    1. Media and reports on businesses
    2. Questionnaires and supporting documentation on the supplier’s practices
  3. Evaluate
    1. Analyse the data collected and compare against expectations
    2. Assess the potential impact on your business — assign risk level
  4. Mitigate
    1. Document findings and audit trail
    2. Communicate corrective actions to suppliers

Identify

First, we must identify the risk landscape. We can’t simply spray the whole town to see what comes out red, we need to focus our attention to uncover risk issues. Budgets are decreasing, people are being asked to do more with less, and there aren’t enough resources to give every risk area or supplier the same amount of scrutiny. Early in the process, it is important to identify the key stakeholders in your company and have a multi-disciplined approach to risk management. This will help avoid tunnel vision and create accountability and transparency across the business.

There are lots of indicators out there to help your organisation identify risk issues that could affect your supply chain: industry research, country assessments, NGO reports, insight into other companies with similar supply chain practices. But as not all organisations can throw adequate resources behind all of these; we first need to identify the best way to understand the threats and tangible impacts to the organisation. Having been in-house and now looking at it from a provider’s perspective, I know companies are being penny wise and pound foolish when they try to go it alone. Through the support of a dedicated third-party risk expert, an organisation will be able to take their spending further, covering more risk areas and getting the recommendations of individuals who have assessed risk across several organisations in a variety of industries. Seeking third-party expertise or, at a minimum, programme oversight can help organisations broaden their scope and get out of the rut of trying to solve ‘the one big issue of the day’ first. The process can be done internally, but some organisations tend to grab hold of just one regulation, develop a programme or process to approach it, then call the programme a success. What happens when a risk hits you from outside the boundaries of your current programme?

Collect

Next, you need to look at which suppliers present the biggest potential for risk. How many of us just look at top spends of suppliers? Clearly, this is an important factor, and it also is important to understanding the supplier’s business. This goes back to the resources question of how can the organisation best support a review of every supplier’s individual business practices, something that is impractical in most situations. You can begin to understand a supplier’s business by conducting a first-level evaluation of their potential for risk. Look at their commodities categorically, then compare that to what your third-party risk expert can identify through research into industry, country, and general risk categories seen across the globe today. Some commodities simply have more potential for risk than others, particularly hazardous processes or labour-intensive manufacturing. Some suppliers might be in a category that presents only one risk area or little risk at all.

To understand an individual supplier’s potential for risk and what mitigation activities you must perform, you must understand the supplier’s existing compliance processes and policies. I’ve been working in supply chain risk and compliance for more than 10 years, and one thing I learned early on was to involve the suppliers in the process. Suppliers are the best sounding board to help identify what areas your programme should be focused on. Brief annual engagements provide a great way to understand the broader risk landscape from a supplier’s perspective. If all you ask of a supplier is to address a single issue, that’s all you’ll get.

Some organisations believe that questionnaires don’t provide much value and that the only effective process is to conduct on-site audits. While conducting on-site audits can generate epiphanies about the supply chain, they are very expensive and not needed in many situations. If your effort is to just focus on on-site audits, how would you select which suppliers are most important for audit? Should you employ a rotation process? Could the supplier you audited in year one have a negative impact in year two? And what do you focus your audits on? It is essential to keep a wide view of the risk universe when doing either off-site or on-site audits.

In years past, I supported an industry association in creating a validated audit process of suppliers. After having conducted these audits on-site for a few years, I began to realise that we were too focused on hot topics and missed several issues. The issues were missed because we didn’t first seek to identify the risk issues we should focus on and how best to collect information on those risk issues. Once we started discussing with suppliers the potential risk issues identified by outside organisations, others in the industry or governmental agencies, we gained a far better understanding of the supplier’s practices. In most cases, we found the suppliers were already thinking about these issues and how best to address them. We modified the supplier self-assessments to first focus on risk identification and learning more about the supplier’s cultural stance towards each issue. As a result, we gathered the same if not more information from the suppliers as we would have through hundreds of costly on-site audits.

Evaluate

Once you’ve collected all there is to know about a supplier and its risk profile, the real work begins. You start by analysing the data collected and comparing it against your code of conduct and customer and regulatory expectations. The value of this analysis is in understanding the potential risks to your business. Not every issue identified could affect your business, and the same issue identified from two different suppliers could affect your business in different ways.

I mentioned the value of a questionnaire, but the greater value comes in having a dialogue with the suppliers. When we open a dialogue with a supplier, we get to the real story. Involving the suppliers is never more important than during mitigation, determining why a change is important to your organisation. People outside the organisation and sometimes individuals within an organisation think they have the power to walk in and dictate to suppliers how they’ll run their business. Nearly any procurement representative will tell you this simply isn’t the case. Suppliers don’t always do as we ask, nor do they always have to. That’s why we need to make a reasonable approach at providing the supplier corrective actions that don’t outweigh the value of our relationship. Ideally, these corrective actions add value to our risk-reduction efforts.

Mitigate

We discussed some things you need to do to ensure that you’re not focused on the compliance issue of the month and building your entire supply chain risk management programme like a Hollywood set. If we first take the time to document the complete process and define what success looks like, companies will see far more efficient programmes. In my early years of corporate social responsibility risk reviews, I failed to clearly map out what I was going to execute throughout the annual campaign. Not only did this leave me narrow-minded, causing me to miss risk issues, but I couldn’t even define what success looked like for the one hot topic I was fixated on. I simply jumped in too quickly and attempted to knock it all out in one go. But that didn’t mean we don’t have good ideas. It means the results we’re driving towards are far less efficient because we’re not planning out deliverables.

The Red Flag Group has identified 23 risks under the umbrella of reputational and integrity risk in the supply chain. Risk can come from a variety of sources and affect your business in different ways, from regulatory infraction to reputational damage. We’ve developed a review process to help organisations get out in front of these risks and reduce the potential for negative impact. Don’t get stuck with a one-trick pony. Think broadly to avoid focusing on one area that may disappear from the regulatory landscape tomorrow. Address the risk issues that will be important for years, not months.

To find out more about our products and services, please visit www.redflaggroup.com. If you have any enquiries, please contact info@redflaggroup.com.

Previous Article
Product developments 16/17 - Compliance Managed Services
Product developments 16/17 - Compliance Managed Services

The high workload expectations on compliance professionals leaves little time to manage resource intensive ...

Next Article
Medical NGOs and Donations
Medical NGOs and Donations

Just because an entity describes themselves as an NGO does not necessarily mean that that they are an NGO o...