Third Time Lucky

Following on from my last article, today I bring you the third of my four part series – Risk Management. In this piece, I’ll be giving you my view on the key aspects to consider when looking to manage risk in your key supply relationships and supply chain.

From Snowball to Avalanche

The focus on managing risk within the supply chain has increased over recent years and rightly so. The advent of the Modern Slavery Act in 2015 and the drive for a more transparent and sustainable supply model has brought an added dimension to managing risk, plus the explosion of the digital age has led to heightened focus from a cybersecurity perspective too. When you also add in the small matter of the GDPR legislation in 2018 and the consequences of not handling data correctly, this concoction of delights is enough to give anyone a sleepless night! All of this coupled with an increase in outsourcing critical activities, has in my view, brought the activity of managing risk to centre stage and high on the agenda for all CEOs and therefore all CPOs.

What was once a snowball has now quickly developed into an avalanche, but how can all of this be managed effectively?

To Risk or Not to Risk?

The consequences, both financial and reputational, of not managing risk effectively with your key supply partners is simply a non-starter in my opinion. Not only can huge fines follow a ‘breach’ event, but the damage to your organisation (and those associated with it) can be devastating and something you may never recover from. Gone are the days of passing the buck or simply assuming that someone else has it covered. It may seem obvious, but my recommendation is don’t get caught out! Work with your key SME’s to ensure that risk is central to the framework you deploy for managing your supply estate, particularly your critical services and key suppliers.

A Multi-Faceted Approach

When it comes to supply chain risk, both these Tech Target and McKinsey articles provide useful definitions and guidance on the topic. Both are very clear that there are multiple aspects to getting it right, which I absolutely agree with.

For those still grappling with what actually constitutes risk management in the realms of supply management world, the Tech Target definition as below feels like a good concise description that works well for me.

“Supply chain risk management (SCRM) is the coordinated efforts of an organization to help identify, monitor, detect and mitigate threats to supply chain continuity and profitability.”

Going further, I would also suggest that its not a ‘one size fits all’ scenario and that Procurement should not be the sole arbiters of what good looks like for your organisation. Many companies have specific risk teams and my recommendation would always be to work hand in hand with the relevant SME’s within your organisation to develop an approach that’s right for your supply base and your customers. What is clear in my mind though is that your approach will need to be multi-faceted and capable of capturing risks of different types, from different scenarios and during different stages of activity.

Types of Risk

When it comes to types of risk, I personally like the simple, but clear approach the McKinsey article takes with its ‘Known’ and ‘Unknown’ risk categorisation. Known risks are typically ones that you should be able to determine. I would recommend understanding what your appetite is towards these and ultimately what ‘good’ looks like. These will be numerous, but could be something such as:

• a data loss or breach event

• your most critical supplier goes into liquidation

I will talk in more detail shortly as to how I think you can do this, but needless to say having a clear and documented approach to measuring these risks is key.

In addition to the above, there the other side of the coin – unknown risks. Naturally these are more difficult to predict, but can be devastating in their effects, as we’ve seen with the sweeping nature of COVID 19 this year. Planning for each eventuality can be more difficult, but what we’ve learnt is the need to be able to react quickly and with agility. Take time to understand what such potential events could be and then use this work as an opportunity to develop the business case to bolster your resilience and defence mechanisms.

Where Does It Start and End?

You will have noticed that in my previous articles I’ve been very clear to state that effective supplier management, and in this case, the management of supply risk, isn’t an activity that you start when you’ve signed the contract and the service has become live. Understanding your risks and developing an effective framework to monitor, mitigate and address them is a continual and ongoing activity in its own right.

So how do I weave risk management into my framework and where does it start? As mentioned, work with your business to outline the risk landscape for your supply chain and then take steps to address it at all stages of the procurement and supply management lifecycle. There are many activities at different stages, but below is my summary view of how to hopefully ensure your business is not caught out starting at the outset:

• Prospective Supplier Due Diligence. Some of you may know this as a ‘pre-qualification’ questionnaire or due diligence questionnaire, but regardless of its name, I would always recommend that you deploy a mechanism for prospective suppliers to be able to provide key information with regards to their company and their underpinning processes. You may choose to adopt a phased or dynamic approach to the collation of information depending on the type of service you’re looking at or the stage of the engagement, but its crucial to ensure you capture key elements from financials through to information security and everything in between.

• Capability Requirements. This is an area that’s often overlooked, particularly in respect of technology purchases. Whilst the ‘supplier’ due diligence referred to above should capture key information at the company level, on occasion it doesn’t go deep enough in respect of the services or solution offered. As an example in the IT world, here I would address things such as ‘platform’ risk and resilience to ensure that the solution you are to consume is capable of a full fail over if you are needing a ‘highly available’ service. Be careful to avoid the trap here of falling into the gap between company due diligence and project requirements and ensure you understand and take steps to mitigate the risks in this space.

• Sourcing. It goes without saying that this phase is a prime place to ensure you determine how a prospective supplier stacks up against your identified key areas of risk. It is likely that this phase encapsulates a combination of 1 and 2 above, but it can also be a good opportunity to understand the full supply chain and to delve more deeply into the journey from ‘A to B’. Remembering that often there can be a chain of events before the relationship between yourself and your chosen supplier will help you understand what risks lie further upstream that could eventually impact on you.

• Contract Management and Ongoing Monitoring. Fundamentally the management of risk cannot be a ‘one time’ activity. Take time to develop mechanisms to capture the ongoing management of risk and ensure the activity is central your ongoing relationships with key suppliers. This can take various forms from a scorecard to physical audits to the regular upload of new financial information and business accreditations, but understanding that you need the methods to continually monitor your outlined risks is one of the most important things you can do. Without it you will have no way of knowing where you stand in respect of the likelihood of a failure or compelling event.

Lastly, and as with the entire discipline of supply management, there are tools, both specialist and end to end that you can deploy to help you in this arena. As always, I would say that investment in such tools should be in line with the approach your company wishes to adopt and its risk appetite. If you do choose not to purchase a specific platform, you will need to ensure you have some method of documenting and managing risk as a minimum. Without it the prospect of significant disruption to your business will be a far more likely event.

Whats Next?

Up next and the last in my four-part series is a favourite topic of mine, Relationship Management. I’ll be bringing the curtain down on whats been a really enjoyable series to write and I look forward to sharing this with you in a couple of weeks-time. In the meantime, if you require support on any of the areas covered above, please feel free to contact me on 07834 452333 or at Marriage-Stanley Associates via this link.

James Cowley

Principal Associate, Marriage-Stanley & Associates