Four Steps to Mitigating Supplier Risk and Protect Your Supply Chain

Predicting and preparing for variables that can affect your operations

Supplier risk management is defined as the process of predicting and preparing for the probability of variables which may adversely or favorably affect the supply chain. Supplier risk management is not a new concept; however, the type of risk that can affect the supply chain and the way in which these risks are managed and mitigated has evolved significantly. The need for proactive and predictive management strategies is ever present in business today.

We've determined that a best-in-class supplier risk management process consists of four steps and manages risk throughout the lifecycle of a supplier. The four steps include certifying suppliers, monitoring external and internal risk levers, continual and repetitive analysis to determine how programs are affecting the business, and mitigating risk by planning for potential disruptions. These four steps encompass the entire lifecycle of a supplier and the sourcing process.

Step 1 — Certify

Integrate risk mitigation and dependency into the sourcing process.

Choosing a supplier has inherent risk. A strong sourcing process mitigates that risk, and incorporating risk into your current metrics can help ensure that suppliers coming into your organization can meet business requirements and will be able to successfully deliver their product or service:

  • Know the marketplace — New suppliers and technology advancements bring opportunities to take risks that can be positive for a business. However, economic or environmental events can bring an industry to a halt. Established suppliers may be hurting due to the latest hurricane or recession. Marketplace due diligence will prepare you to find the right suppliers to go out to bid.
  • Ask the right questions — When going out to bid for a product or service, asking the right questions in the RFx process can illicit the type of information you'll need to truly determine a supplier's health. The following are examples that should be considered of every potential supplier:
    • Dependency ratio — What percentage of your business is the supplier's total revenue?
    • Tier-two suppliers —You should consider if you have exposure to a tier-two supplier that may service multiple tier-one suppliers in your portfolio.
    • Business requirements — Does the supplier have your organization named as an "also insured" on their insurance certificates?
    • Legal — What suits, liens or judgments have been filed against a supplier and how could that affect their ability to provide service to your company?
    • Governmental — Are they on the U.S. government's debarred list, do they have OSHA violations, do they have I-9 certifications and do background/drug checks for people working on your account?
  • Trust but Verify — Certify your suppliers using your own criteria. Verify supplier information against a third-party source. Information providers such as Dun & Bradstreet can provide a more holistic view of the supplier's health, including payment information (whether they are paying their suppliers on time), legal information (status of suits, liens and judgments or criminal activity) as well as predictive indicators as to their financial health going forward.

Collect, aggregate and centralize all required information and documents for established suppliers.

Data integrity and visibility are important to every aspect of supply management. Having a centrally located database of supplier information and required documentation will not only increase efficiency, it can help maintain compliance and give your organization the visibility it needs to take action.

  • If your data sit in multiple systems and you're working with various business units, there are products that accept data collected from various sources and append it to create the business intelligence needed.
  • Aggregate supplier information and required documents in one system. A best-in-class approach to aggregating these data is to create an interactive supplier portal and allow suppliers to log in and supply the information themselves.

Repeat the process annually to maintain up-to-date information.

Managing risk is not a one-time event. Managing supplier information shouldn't be either. Implementing a process where established suppliers will update their information annually will help ensure that you are working with the most current information.

Step 2 — Monitor

Identify the suppliers that have the most impact on your business.

Not all suppliers are of equal value in your supply chain. Stratify them into categories that make sense for your business. For example:

  • Strategic — those who are woven into the fabric of your company;
  • Critical — those that could cause a disruption in your manufacturing line, your services or delivery to market, such as an IT consultant working on code for a new product you are about to market;
  • Approved — a supplier that has gone through a due diligence process but one that can be replaced without severe disruption; and,
  • Used — suppliers that are low-dollar, low-value, easily replaced and did not go through a formal due diligence process.

Identify the types of supplier risk that will most affect those suppliers.

Determine the types of risk levers that can affect suppliers and how prepared your organization is. The following risk levers are examples of variables that can cause disruption or bring an opportunity to your supply base and can be tracked: Financial, Environmental, Operational, Legal, Political.

Strategic and Critical suppliers should be monitored daily, while Approved and Used suppliers may only need to be monitored weekly or monthly. At the very least, all suppliers should be reported upon every quarter. A supplier that you spent $50 with for a widget can ruin a brand or cause a public relations problem if they are debarred by the U.S. government or found guilty of using child labor.

Determine which sources of information to monitor.

News feeds, government control lists, court filings, payment history, earnings reports — these are just a few of the external information sources you can use to monitor suppliers. Technology solutions today can amass these sources and then filter to what's most important for each supplier or to your business as a whole.

Internal information can also be used to monitor suppliers. Two excellent sources often overlooked are internal surveys as well as surveys of external colleagues who use that supplier. This gives more subjective insights that will lend to a better understanding of the perception of the supplier in the marketplace.

Establish a repetitive process to monitor external and internal data in real-time.

Supplier failure can happen overnight, as was proven in the last recession. By monitoring in real-time, you can proactively manage potential supplier failure and reduce the risk of a disruption to your business.

Step 3 — Analyze

Enrich internal data with third-party information to increase visibility and create actionable intelligence.

If the Golden Rule is "if you do not measure it, you do not control it" then the First Corollary is "if you do not measure the right metrics, you will not properly control it." Bring intelligence to the spend and supplier data aggregated in Step 1 ("Certify") by combining it with the third-party information collected in Step 2 ("Monitor"). Technology in today's marketplace combines the data automatically to reduce the amount of time and resources required to manually analyze and create reports. Suggested areas to analyze include:

  • Corporate linkage
  • Diversity
  • Financial risk
  • Spend by category, by business unit, by country
  • Supplier performance


Trend the information over time.

The Second Corollary to the Golden Rule is "if I am not refreshing my data in a timely manner, I am not properly controlling it." The process needs to be easy and repeatable, and it needs to produce usable information. This is the basic tenet of any good process.

By repeating the analysis and trending the information month-over-month or quarter-over-quarter, you gain a bigger picture as to how your supplier performs and what are acceptable behavior thresholds. Additionally, you can gain a better understanding of how your own organization performs.

Here's an example, using courier services: Your supplier's performance against service levels may drop between the months of November and January. During that same period your volume of shipments has nearly doubled (holiday rush was not accounted for in your contract). The supplier's poor performance is explained by the unanticipated increase in demand. The following year you will account for the increased demand and adjust the SLAs accordingly.

Step 4 — Mitigate

Develop disaster recovery plans in the event of supplier failure.

You can't predict supplier failure with 100 percent certainty. But you can protect your business by planning for it. Your Strategic and Critical suppliers will have the most impact on your business if they are suddenly unable to perform. Proactively prepare for these potentially damaging supplier disruptions by having alternative source strategies in place. Develop supplier contingency plans by documenting competitive suppliers and continually researching for new suppliers. Refresh contingency plans quarterly to keep the information fresh and relevant.

Continually assess the strengths and weaknesses of suppliers.

Repeat steps 1 — 3.