Caveat Emptor: Managing Procurement Risk

As lengthening supply chains become increasingly subject to disruption, procurement risk management must become a core competence with supply management.

1206017803956 10289621

By Anand Iyer

As supply chains organizations gravitate toward a "build anywhere, source from anywhere" mindset, the risks associated with procurement and managing supply lines assume greater proportions.

Examples of real-world procurement risks include long-term contracts at unfavorable prices, excessive dependence on one geography or supplier and supply disruptions due to natural disasters. A few examples:

  • The New York Times reported last November that 90 percent of Southwest Airlines' fuel needs for the fourth quarter of 2007 were hedged against higher fuel prices compared to just 20, 30 and 40 percents for Delta Airlines, Continental Airlines and American Airlines, respectively.
  • In 1995 an earthquake in Kobe, Japan, led to the closures of that country's two largest ports, resulting in more than $100 billion in damages to supply chains worldwide.
  • More recently, a blue-laser-diode shortage caused Sony to slash projections for the PlayStation3 launch in late 2006 by 2 million units.

Supply chain challenges and disruptions such as these may have a negative impact on average operating income and return on sales by more than 100 percent for two years or more after an incident occurs, according to an article by Vinod Singhal and Kevin Hendricks titled "The Weakest Link: New Study Quantifies Financial Fallout from Supply-Chain Malfunctions," in the February 2, 2004, issue of Georgia Tech Research News. Perhaps that's why AMR Research, in a January 3, 2007, report called "Managing Risk in the Supply Chain – A Quantitative Study," by Mark Hillman and Heather Keltz, finds that "nearly 50 percent of firms plan to implement or evaluate [supply chain risk management] technology in the next 12 to 24 months."

Influencers of Risk

Proactive management of supply risk often requires a continuous evaluation of risk factors across the decision continuum – from the design of the procurement network to the actual movement of supplies from origin to destination.

Many of the factors that determine the risk affinity of a supply chain are established in the design stage. In many industries, the first stage where supply chain risk is determined is product design. It is not uncommon to see excess and obsolescence charges for specialized components that are used in a few products or sold in a small number of geographies.

From an operational standpoint, procurement risk management (PRM) begins with the design of the supply network. Our definition of design encompasses the identification of suppliers, the design of the sourcing protocols as well as the definition of contract terms. Although most discussions of risk center on supply volumes, price volatility is an important consideration as well and may require the use of financial strategies that borrow from Wall Street's playbook.

Another well-known source of procurement risk is demand uncertainty. Demand uncertainties coupled with price volatility require supply chain organizations to identify and operate in a narrow zone that keeps at bay the triple threats of unmet demand, excess/obsolescence and unnecessary financial commitments. This is particularly true for industries that experience the "long tail phenomenon" where there are a few high volume products and many medium- and low-volume products. Well-designed supply networks can increase the size of the operational safe zone by providing recourse to feasible alternatives.

In addition to design decisions that account for risk, companies must also carefully consider operational factors that could potentially disrupt the flow of supply. For example, a two-week labor strike at U.S. West Coast ports in 2002 stranded more than 200 ships and 300,000 containers because other ports did not have the capacity to accommodate redirected shipments. Supply disruptions may also be the result of natural disasters, strikes, terrorism, mechanical failures, research and development delays, or unexpected logistics challenges, such as customs-clearance delays.

As more supply chains stretch across the globe, complexities increase and require a careful cost-versus-benefit analysis for each risk-mitigation strategy.

Phases of Risk Management

Even the best-managed companies can be overwhelmed by the prospect of rationally and proactively balancing the potential negative effects of risk factors against the cost and benefits of implementing risk-mitigation strategies. In fact, it quickly becomes clear that managing risk can be at odds with other strategic initiatives, such as reducing inventories and cutting costs. Therefore, effective risk management requires a careful consideration of the appropriate balance among customer service levels, cost and working capital within an acceptable risk tolerance.

In addition, all risks are not equal. They must be identified and categorized along a scale on the basis of the severity of the impact of the risk and the likelihood of occurrence. Obviously, risks with high severity that are most likely to occur should be the first priority.

These are complicated scenarios requiring substantial computing power and sophisticated analysis capabilities. All risk-analysis approaches have two phases, although the specific techniques used in each phase vary widely. The first phase of risk analysis is risk identification and consists of determining the sources of risk, the dependencies among them and the likelihood of occurrence. For example, the loss of a supply source in one location may cause a shortage of transportation capacity in a different area where an alternate supply source is available. The second phase is response analysis and involves determining potential options to hedge against the risk while assessing the impact in terms of both cost and benefit.

The first phase of risk identification often involves variants of the Delphi method of predictive analysis. Developed by the Rand Corporation during the Cold War to predict the impact of technology on warfare, the Delphi method is a facilitated brainstorming or information-gathering process. It involves experts who participate anonymously in iterative sessions by providing predictions with supporting logic. The results from each session are reconsidered by the experts until the process converges on a relative consensus.

Next, probabilities are associated with risk factors through a wide variety of techniques. For example, historical data may provide estimates of variability in forecasts or lead times. Analysts may also use sophisticated regression models to determine errors in long-range growth forecasts. Similarly, the mathematics of extreme-event analysis enables analysts to estimate the probability of rare events. The process results in a good understanding of potential risk factors and their probability of occurrence.

Once risks are identified, the response-analysis phase focuses on estimating the impact of risk factors across the supply chain. This exercise is challenging because the relationships between risk factors are not static. One decision or risk factor may impact other risk factors. In practice, techniques for analyzing risk-decision clusters fall into two families: prescriptive decision models and descriptive simulation models.

Prescriptive decision models, which include many supply chain optimization tools, are designed to prescribe an answer for a given set of inputs. The models used in software solutions are further divided into two categories: deterministic and probabilistic. Both deterministic and probabilistic models provide insight into the interaction between risk factors and supply chain control variables by systematically analyzing different scenarios.

However, while deterministic models use a single number for each variable under consideration, the more sophisticated probabilistic models use statistical probability curves for variables such as demand patterns or the likelihood of a supply disruption. Because of the increased complexity in these probabilistic models, they tend to be limited in scope.

Descriptive models can simulate the operation of the supply chain and generate statistics using a series of simulated inputs that are provided to the model. These statistics are then analyzed to facilitate decision-making. In summary, it takes a combination of sophisticated tools and techniques to effectively determine the appropriate response to supply chain risk factors.

Cases in Point

One example of real-world proactive risk management is at ON Semiconductor, a global supplier to multiple electronics markets, including the fast-paced wireless industry. The company proactively manages the risk associated with procuring capacity. The risk management discipline at ON begins with the recognition that decisions made in other functions often impact procurement risk, and therefore methodologies and tools that analyze the integrated supply chain are a sine qua non.

For example, volatility in demand, contractual commitments to outsourced manufacturing partners, lead time for procurement and currently installed capacity together determine the procurement strategy for future quarters. Similarly, the considerations and decision variables for managing risk are distinctly different for the short-term and the long-term. ON uses a sophisticated set of integrated supply chain scenario analysis tools coupled with a rigorous sales and operations planning (S&OP) process to proactively manage risk across different time horizons.

Another company that has developed and institutionalized a sophisticated procurement risk management process is HP. HP, like ON, reflects the philosophy that risk management is not a one-time or infrequent activity. Nor is procurement risk management about sophisticated tools only. Instead, it is a combination of world-class processes and technology that provide the ability to continuously adapt and improve across the dimensions of organizational structure, process, technology and strategy. More information on HP's practices of procurement risk management is available at

The procurement risk management initiatives at ON and HP demonstrate that PRM requires an investment of time and resources to be effective. But as supply chains become longer, increasingly complex and subject to more severe disruption, the question supply management executives must ask themselves is not whether they can afford to adopt a PRM strategy but whether they can afford not to make procurement risk management a top priority.

Acknowledgement: The author would like to gratefully acknowledge Darren Ward's research on some of the case studies and statistics cited in this article.

Anand Iyer About the Author: Anand Iyer is an i2 Fellow. More information at