In our series on supplier management, we have now come to supplier risk. This is one of the most complex areas in the entire procurement technology space because risk management spans multiple areas and can be defined or classified in so many ways. One of the problems with risk management is that much of it goes beyond procurement — almost always extending to suppliers. In many cases like intellectual property, cyber security, and ESG, you need to manage risks holistically that covers both your own organization but also your suppliers.
That said, we will focus on supplier risk management and some of the key areas to manage. First, there are some fundamental risk management capabilities that must be considered regardless of the risks being managed.
Risk Management Basics
Some risk areas are covered by the platform capabilities we looked at in part one of this series. But for the purpose of supplier risk management, they need to be specifically configured.
There needs to be specific dashboards and reports to show risk statuses and trends. The solution needs to be able to send alerts and notifications when certain events occur or thresholds are passed. This means that capable risk management solutions also have strong analytics capabilities. Similarly, there needs to be links to supplier improvement and risk mitigation action plans akin to what we covered in part 3 (supplier performance management) of this series to trigger correctional activities when something happens.
In some industries, it’s important to not only manage tier-one suppliers (i.e., the suppliers that directly supply your organization) but also tier-two suppliers (i.e., the suppliers of your tier-one suppliers) — or even suppliers all the way back to the raw materials used (i.e., all the suppliers used in the entire supply chain, or n-tier suppliers). This requires a supplier management solution that supports multi-tier supply chains, something that quickly becomes complex.
Different Types of Risk
As mentioned at the start, there are a multitude of different types of risks, and they can be broken down as granularly as needed. But most of them can be managed in similar ways with different third-party data sources and specific sets of questions. That said, there are some common types of risks that need to be managed for all (or most) organizations and their suppliers.
- Regulatory risk. Governments all over the world are requiring more and more information about businesses and their suppliers. This ranges from data and information to curb money laundering, child labor, and conflict minerals supply chain risks. Organizations need to be able to report compliance in a wide variety of areas. Thus, a strong supplier risk management solution is required. Solution providers can’t take on the full responsibility for compliance since the liability lies with each organization, but they can support them with subject-matter experts and updated templates to make it as easy as possible.
- Geopolitical risk. Increased outsourcing and reliance on suppliers in low-cost countries have also made buying organizations more exposed to geopolitical risks, such as civil unrest, strikes, armed conflicts, and so on. Having an overview of high-risk areas and which suppliers are impacted by potential events is critical for risk mitigation and to quickly assess the impact of an actual event. A good risk management solution should be able to map out your supply base as well as keep track of associated geopolitical risks and events. It should also easily visualize high-risk concentrations of individual suppliers and supplier groups with high-risk profiles.
- Financial risk. Tracking the financial status of your suppliers is straight forward if you are willing to pay for financial information and your suppliers are located where there is reliable financial data available. Most supplier risk management solutions have partners that can (against a fee of course) enrich supplier profiles with this type of data and/or financial risk scores.
- Supply risk. This risk type is associated with geopolitical risks but also looks at the entire supply chain and the risks associated with specific supply lanes, ports, and other critical/choke points. These are specific areas that most general-purpose supplier management solutions lack support to any great degree.
Event and Media Monitoring
The final capability I’d like to address is event and media monitoring. This entails some version of AI (or many individuals) that monitors traditional and social media for both events and overall sentiment. The conclusions and results can then feed into the risk management tools both as a trigger to take immediate action (i.e., a specific event occurs that forces you to act, such as a supplier strike, a major port incident, etc.) or a warning that something might be about to happen.
The next and final part of this series will focus on supplier innovation and development. However, before we call it a wrap on the series, we’ll be featuring a mystery article — so stay tuned!
And, as always, don’t hesitate to reach out to Ardent Partners if you have any questions!
