© Spend Matters. All rights reserved. 1

Supply chain risk management (SCRM) is becoming a top priority in procurement, as organizations lose millions because of cost volatility, supply disruption, non-compliance fines and incidents that cause damage to the organizational brand and reputation.

Bribes to shady government officials, salmonella in the spinach and forced labor in the supply chain can all result in brand-damaging headlines that can cost an organization tens of millions in sales and hundred of millions in brand damage. And while reputation may only be important for name brands, cost volatility and supply disruption affect all manufacturers.

In fact, in the latest 2015 study by the Business Continuity Institute, supply chain disruption doubled in priority relative to other enterprise disruptions (48% of firms are concerned or extremely concerned). Roughly three-quarters of respondents said they had at least one disruption, and the same amount lack full visibility of their supply chains.

In the same study, 14% had losses from supply chain disruptions (e.g., natural hazards, labor strikes, fires, etc.) that cost over $1 million, and these disruptions can easily go up to nine figures. For example, Toyota estimates the costs for the recent Kumamoto earthquakes to be nearly $300 million. Imagine being out of stock on a product line that does $12 million in annual sales for two months. That’s $2 million in immediate lost sales and longer-term brand damage.

Many organizations try to deal with this through point-based supply risk management solutions centered around supply chain visibility, corporate social responsibility or supplier management, trying to implement the top-down “program du jour.” But what usually happens is a solution is acquired, key strategic suppliers are vetted once in a "check-the-box" compliance initiative and that's it. Supply chain risk means managing the entire supply chain, not just tier 1 suppliers. All tiers, distributors, carriers, ports, transportation hubs, warehouses — a delay or disruption can start anywhere.

Risk management, and what is necessary for ongoing risk management, never gets operationalized, and as new suppliers get added, supply shifts and supply chains change, new risk enters the picture — risks that go undetected unless risk management is embedded in all key procurement activities, including sourcing. It is important to remember that:

R E S E A R C H

Supply Chain Risk Management in the Context of Sourcing, Category Management, and Supplier ManagementBy: Pierre Mitchell and Michael Lamoureux

5 Critical Supply Risk Mitigation Principles for Your Sourcing Process

© Spend Matters. All rights reserved. 2

1. When You are Sourcing, You are Really Changing Your Supply Chain NetworkIt’s easy to get lost in the mechanics of sourcing new suppliers and not see the broader supply network implications. For example, you may think you are hedging by dual sourcing, but if those suppliers in turn are sole sourcing to the same critical tier 2 or tier 3 (or 4 or 5!) or all reside in the same GEO (think flood plain) as an example supplier, you are also basically sole sourcing without realizing it. Another example is to consider how elements such as transportation costs, tooling costs (and related capacity) and geography-specific risks have cost considerations that factor into the sourcing process.

2. Supplier Risk is Only One Aspect of Supply Chain RiskWhen organizations consider supply risk within the sourcing process, they tend to focus on supplier-specific risks rather than the broader supply risks that get "inherited" from the nature of the items being sourced, the countries they originate from or flow through, the modes of transport and handling, the logistical hubs (or any location-specific asset), the sensitivity of the intellectual property of the items and the nature of customer-specific requirements passed back to you.

3. Your Sourcing Criteria Must Be ‘Protected’ and Risk Must Be Factored InIf you have created a "balanced scorecard" of sourcing requirements beyond cost (e.g., delivery, quality, flexibility, innovation, sustainability, etc.), congratulations! Now the question becomes to what extent you want to protect those performance metrics that are most important to you. Supply risk management is essentially about protecting supply performance outcomes. Depending on what’s most important, that will drive what risk types and mitigation approaches to consider.

4. You Need to 'Cost the Risk' and Also Get It in the ContractOnce you have prioritized your supply (and supplier) KPIs, and have analyzed the biggest risks that threaten those KPIs, you must then analyze your options for risk mitigation (e.g., complexity reduction, early warning detection, faster recovery time, financial insurance policies, etc.) and then estimate whether you or your supplier (or a third party) has the lowest cost to treat and mitigate those risks so that you can plan for your supplier negotiations and contracting appropriately.

5. You Must Design a Monitoring System That is Part of OnboardingMost procurement professionals understand that savings are not realized during sourcing, but rather, are accrued during the execution process, with automated and failsafed monitoring being the goal to create transparency for all stakeholders. The same, however, goes for risk. Unless you have a means to automate the most important risk monitoring activities, and provide immediate transparency and alerting to key stakeholders, the costs of such monitoring will lead to poor or no monitoring and increased risk. And this will eventually come around to bite you financially.

In other words, risk needs to be ingrained in the sourcing process. With the right process, and platforms, this isn't all that hard to do. Suppliers should be pre-vetted during the identification phase at a basic level to make sure they are financially stable, corporately responsible as far as anyone knows (which can easily be determined by way of reports from third-party CSR providers) and not on any denied party or watch lists. The risk of natural disaster, political embargo, civil unrest or war in the region should also be identified not just overall, but specifically mapped to critical supplier locations (e.g., supplier plants located near the vocanic ‘ring of fire’ on pacific coastlines).

© Spend Matters. All rights reserved. 3Then, if they are in serious consideration for an award, detailed questions can be asked, records checks can be performed, mandatory CSR requirements can be defined and risk monitoring and mitigation processes assessed and specified appropriate to the level of risk. And when it comes time for an award, regular inspections, mandatory initiative and progress reporting, regular performance metrics and use of the supplier portal can be insisted upon as part of the award. With proper procedures and processes, all of the above can be addressed and the organization can work toward maintaining the metrics and brand that is important to the organization.

Category management is about segmenting supply markets to optimally formulate sourcing and supplier management processes to drive savings and other financial rewards. But what about managing the other side of reward — risk? Well, category management can do that too, and to illustrate this, consider the Kraljic Matrix, circa 1983, which plots supply categories against two dimensions: supply impact and supply complexity.

Now, what if you think of complexity as a proxy for supply chain risk and look beyond the Krajlic’s Porteresque market power view of this. In other words, the more “moving parts” in the supply chain (and the higher the velocity, volatility and variability), the higher the likelihood of an adverse risk event. Suddenly, you can can plot categories (or within a category) by risk type so that you have a complete picture of a category.

In fact, you can map risk types to the individual KPIs you use to source a category, subcategory or supplier to help you further prioritize the importance of those risks. Each category will have its own risk profile, but a generic cross-category risk profile is shown above. What is also shown are three key concepts:

How to Make Category Management Do Supply Chain Risk Management

Impa

ct o

f Sup

ply

(NO

T ju

st S

pend

)

Supply Complexity(Proxy for Probability of Risk Event)

Res

ilien

cy

Agilit

y

Prevention

PESTLE

Political

Economic

SocialResponsibility

RiskTechnological

Legal

Environmental(natural

disasters)

Regulatory non-compliance Quality

Risk

PriceRisk

SupplierTakeover Risk

SupplierVisability Risk

Availability/Capacity Risk

Delivery Execution Risk

© Spend Matters. All rights reserved. 4

• Resiliency is the ability to lessen the impact of an adverse risk event so you can recover faster and more efficiently

• Prevention is the ability to lower the probability of the risk event through complexity and risk elimination or through early warning

• Agility combines these two so that you move responsively and quickly to avoid the risks and mitigate their effects

Supply chain risk management is therefore about the organizational, process and technology activities that improve these three critical capabilities to improve your odds in delivering value in your categories and across your categories in the multitier, end-to-end supply chain.

While brand damage can be quite costly to the businesses whose sales rely strongly on the customer loyalty they generate from their brand strength, cost volatility and supply disruption is very costly to all manufacturers. In fact, in the latest 2015 study by the Business Continuity Institute, supply chain disruption is double in priority relative to other enterprise disruptions and over three-fourths of respondents cited that they had at least one recent (significant) disruption. The same percentage didn't have full visibility of their supply chains.

While category management can address and even reduce supply chain risk by ensuring a chosen strategy has the right level of resiliency, prevention and agility, it cannot prevent risk or do much to eliminate the source of risk once something has happened. That can only be done by each party in the supply chain doing everything they can to eliminate the risk. In particular, a supplier needs to do all they can to minimize the risk on their end.

However, not all suppliers are as advanced in supply chain management, and in particular, risk management as the buying organization. That's why good supplier management combined with SCRM is key. Good risk management is a combination of risk prevention and risk mitigation when a risk is detected. Risk prevention involves selecting suppliers, products and services that are low risk and risk mitigation involves taking action as soon as an indicator is detected.

A supplier is not always good at mitigating or even detecting risk in its supply chain, or may overlook an obvious sign that an observant buyer would not, which is why proper supplier management is key. This begins even when qualifying suppliers. Including risk criteria related to the supplier and supplier location gives a good indication of a supplier’s the risk level. Besides the supplier qualification criteria, supply location-related risks provide an overview on potential threats like natural disasters, political situation, sanctions or economic risk. This gives buyers the chance to take preventive actions.

The process continues with performance monitoring. Watch for an increase in defect or section rate, late delivery or early payment request, as each can indicate a potential problem that could lead to a future disruption. An increase in defects could mean a lack of quality control, which could be the result of poor quality inputs from unmanaged suppliers further down in the chain or a staff reduction due to financial stresses. Late deliveries could mean plant slowdowns due to equipment malfunction or carrier problems. And while increased (early) payment requests can indicate the presence of a new, more aggressive, accounts payable director, it can also mean the supplier is undergoing severe, operations-threatening financial issues.

The next step is supplier development. It's not enough to simply point out an issue (such as poor

Why Supply Chain Risk Management is Key to Supplier Management

© Spend Matters. All rights reserved. 5

delivery or poor quality) and ask a supplier to come up with a corrective action plan. The buyer has to initiate the creation of the plan, work with the supplier to detail the plan and to provide the training necessary for the supplier to implement it. Then the buyer has to follow progress and make sure that the plan gets implemented and performance improves. As long as the issue is not financial, this can prevent disruptions due to quality issues or late deliveries.

But just making sure that the supplier is performing to expectations is not enough to prevent disruptions (or cost volatility). It involves making sure the supplier has the knowledge and capability to monitor for, mitigate and manage risks as they arise. That requires continual supplier education, and innovation, to help the supplier identify processes and sources of supply that are high quality and low risk.

But if all this is done, quality, reliability and predictability in the supply base will increase. The only unknowns will be force majeure events, such as natural disasters, strikes and political unrest, that cannot be predicted. But with a risk monitoring and early warning system in place, you can react faster than your competition and initiate initiate action plans and strategies that are already in place. Those plans can be complemented by dual sourcing and other appropriate strategies with the help of suppliers that are able to quickly ramp up production, capacity and distribution to help out their customers of choice.

Comprehensive supplier management combined with supply chain risk management helps secure supplier relationships, prevent supply disruption and ensure your company is operating both legally and ethically.

This series was originally published on http://www.spendmatters.com. It has been reprinted with permission for riskmethods.

Further information on this topic

and others can be found at this

website: www.spendmatters.com.

Reproduction of this publication

in any form without prior written

approval is forbidden. The

information in this report has been

obtained from sources believed

to be reliable. Spend Matters

disclaims all warranties as to

the accuracy, completeness, or

adequacy of such information and

shall have no liability for errors,

omissions, or inadequacies in the

information contained herein or

for interpretations thereof. The

reader assumes sole responsibility

for the selection of these materials

to achieve its intended result. The

opinions express herein are subject

to change without notice.