Next Generation Risk Management Capabilities

Armed with a ‘what if?’ analysis, you can prioritize actions on those suppliers that have the greatest potential impact on your business

Matt McGovern
Matt McGovern

Peter Bernstein’s acclaimed book Against the Odds: The Remarkable Story of Risk takes a comprehensive look into man's efforts to understand and mitigate risks across history. Bernstein concludes that understanding risk underlies success in most every endeavor — from game theory to bridge building.

Now to the layman, perhaps supply management is a less dramatic example than the rest, but Bernstein’s research put a spotlight on what most in a procurement organization already know—that managing risk with your suppliers can be one of the most influential factors in the success or failure of an organization.

Fast forward another 15 years to today when technology has enabled customers, suppliers and partners to be more hyper-connected than ever before.  As a result, the stakes for understanding and mitigating risk in supply management have never been greater, and in many ways, more challenging.  The operating environment for business today is significantly different than it was just a few years ago as undetected risk or exposures can reverberate throughout the extended value chain.  Global dispersement of the supply base has created new challenges, not least of which is managing development and performance of suppliers in emerging markets and determining the extent of which to attempt to manage country-specific risks.

Regulatory pressures have also increased.  BASEL II, OCC, PPACA and SOX are just a few of the many alphabet-soups of regulatory requirements that mandate more active and robust management of your suppliers.  Of course, non-compliance with regulations and laws can lead to revenue loss, penalties and litigation.

As businesses become more complex, companies become ever more reliant on their consultants, vendors and suppliers.  Although it varies by industry, on average, suppliers and vendors account for 50 percent or more of the value of a company’s end-products or services (Source: CAPS Research Cross-Industry Report of Standard Benchmarks).  Accordingly, at least 50 percent of risk lies outside the walls of your business.

IBM recently hosted a roundtable discussion with Chief Procurement Officers (CPOs) and other procurement professionals from leading global organizations, who pegged supplier risk as a top challenge that had significantly increased over the past few years.  

The definition of supplier risk management is also evolving and expanding to include practices that protect the business from an array of supplier and partner-related events.  The definition now often encompasses numerous operational, legal and financial objectives.  Because the impact of supplier risk management goes far beyond sustainable supply, CEOs and CFOs are also taking a greater interest in reducing this risk.

This places increased pressure on supply management professionals to improve their supplier risk management programs, and gear them to avoid supply disruptions and problems while also improving supplier intelligence, collaboration and performance.  To meet the new standards of successful supplier risk management, companies must evolve their strategies and take a more holistic approach to identifying and mitigating risks—and elevate the people, processes and technologies involved in risk management.

Defining and Building a Stronger Program

Given the expanding definition and scope of risk management, a first essential task is setting the parameters for your risk management program.  What are the core goals and objectives of the organization in identifying and mitigating risk?  How can supply management help contribute to the overall enterprise’s risk management agenda? 

Technology and information services can be a starting point to identify sources of risk.  For example, you can identify risk factors sourced from a specific supplier that might be in financial disarray or from an entire geographic region which may be vulnerable to political conflicts or currency fluctuations.  Or you can identify components of production that are either sole sourced or come from very specialized suppliers, thus increasing the company’s dependence on them.

Ideally, the next step is risk prioritization: performing “what-if” analysis and quantifying the impact of supply risk for specific components and commodities.  Armed with such analysis, you can prioritize actions on those suppliers that have the greatest potential impact on the business.

Once a consensus on the risks facing the business (risk map) is agreed upon, the organization must develop a risk model to assess the current state of those risks using defined risk indicators and measurements. These risk indicators allow the organization to draw inferences concerning the probability of an occurrence and the expected scope and impact of the damage.

The risk model serves as the basis for all risk assessments. Indicators and measurements can draw from hard facts such as, (a) credit worthiness of a supplier drawn from credit reporting agencies, (b) the volume delivered from a supplier drawn from the ERP systems, or (c) the performance KPIs drawn from a supplier management solution. Organizations necessarily rely on soft facts as well, such as projected replacement times for suppliers based on on-boarding of alternative suppliers.

Once risk is mapped and modeled, best-in-class organizations typically carry out risk assessment for key scenarios and suppliers, which is used as a benchmarking for ongoing monitoring and assessment – and to inform priorities for proactive risk mitigation and supplier development. 

This risk assessment is then used to develop and identify risk indicators and thresholds, so the company can more readily monitor risk developments and changes. Ideally, as soon as a risk indicator changes, the probability of occurrence and the extent of damage are automatically recalculated. For this purpose, each indicator is assigned a calculation value and a mathematical logic. The risk priority number is calculated by the using an intersection of parameters for risk occurrence, probability and extent of damage. 

In highly-developed risk management programs, risk assessments will be continuously carried out for all suppliers, at varying degrees, and automated in a technology solution. Advanced programs and systems can accommodate risk assessments by various evaluators, particularly if the supplier delivers to different organizations of your company. Developed programs also draw indicators from ERP and other systems and integrate them into risk assessments. This is best done automatically to account for real-time developments. 

A best-in-class risk monitoring model is one that is highly-automated and highly-proactive. At a minimum, an organization should have a system to initiate alerts if a certain trigger is met.  An alert will signal that the risks and indicators have changed or have reached a defined threshold value.  Some systems recognize the risk status based on a risk priority number and signals a need for action.  Developed programs have risk priorities defined and associated corrective action plans which allow staff to initiate the proper actions to avoid, reduce, transfer or compensate the risk.

More advanced programs look to extend that model beyond their own four walls to monitor risk with downstream suppliers, often including those organizations’ sub-tier supply base. Advanced technologies allow for visual illustration of company hierarchies to intuitively show risk between suppliers and affiliates.  Moreover, these solutions offer meaningful analyses and illustrations such as risk graphs, time sequence analyses and portfolio or industry analysis. 

Risk management should inform follow-up activities in supplier management as well. Contingency plans ideally should be defined beforehand, and will be implemented directly upon the occurrence of a defined risk. Such preparation allows for prompt response to risks and minimizes the impact.

Continuous improvement for both the supply management organization and for suppliers is the hallmark of success in supplier risk management. When a company fosters a risk management culture and works with its core supply base over time to identify improvement opportunities and metrics, it not only reduces the company’s risk profile – it delivers broader value to the organization.

From a ‘Sea of Data’ to Actionable Supplier Intelligence

Historically, companies most commonly used manual processes and spreadsheets to manage these tasks. Those further ahead automatically pull data from ERP or other systems to support this process. Today, companies with more developed supply management programs use e-sourcing and contract solutions, and the data derived from those solutions, to further support their risk management programs. 

However, according to an Inside Counsel survey and market data from the research firm Aberdeen Group,  only about half of Global 2000 companies have implemented a contract management solution, only one out of five companies use supplier scorecard tools, and only about one in six companies apply sourcing solutions specifically to their risk management programs.  Fewer still use dedicated supplier risk or supplier lifecycle management solutions. 

So, what is limiting these companies from undertaking this holistic approach, especially in light of the benefits to be gained? At the typical Global 2000 company with more than 20,000 suppliers, the essential challenge of supplier risk management is the collection, control and application of information. With a large and increasingly global supply base, and supplier data scattered across disparate and diverse systems, most companies are overwhelmed with managing all this data and applying it to their processes. 

Best-in-class organizations have a defined supplier risk management technology road map that ensures the organization is empowered with the data and intelligence needed to make informed business decisions. This allows them to anticipate, mitigate and manage risks on a global scale. 

This may explain why supplier intelligence is one of the fastest growing areas of technology spending. Analysts estimate that investments in supplier intelligence technology will grow three times faster than that of any other procurement technologies through at least 2015. 

With a single, accurate and robust supplier intelligence platform, companies gain broad visibility into potential supplier risks; the ability to mitigate risks before they develop by leveraging intelligence and risk modeling; and the establishment of plans to react quickly and flexibly in the event of a supplier disruption to reduce its impact.  They are also better able to address other related objectives, including supplier compliance to supplier performance management. 

But even with all the data in the world at your fingertips, something like managing supplier risk can be a Herculean task.  That is why companies are beginning to explore predictive analytics. 

Analytics is one of the key common denominators used to enhance thinking, methodology and practices to solve some of the most complex challenges facing organizations.  Specifically, advanced analytics can help organizations predict, with confidence, what will happen in the future so that they can make smarter decisions and improve business outcomes.  You may never be able to take risk completely off the table, but you can go a long way towards mitigating it by combining comprehensive risk management models, supplier intelligence and predictive analytics. The application of these technologies are nearly limitless, from next generation risk modeling and projecting spending trends to demand management and analyzing volatility within the supply chain. 

Unfortunately predictive analytics can’t tell us with certainty what the next 15 years has in store for procurement organizations tasked with managing risk. But we can say with a fair degree of confidence that these risks will only continue to grow in complexity while presenting challenges we haven’t yet imagined. With a sound and flexible foundation on which to base your risk management decisions, supported by innovation supply chain technology and analytics, organizations can evolve with those risks to avoid the dangers that await less-prepared competitors.

Matthew McGovern is the Market Segment Manager, IBM Procurement and Contract Management Solutions. He is responsible for product marketing of IBM's Emptoris Source to Contract solutions, a suite of supply and contract management solutions which are employed by more than 350 Fortune 1000 and Global 2000 companies. He has been with IBM Emptoris for more than 3 years, focusing on contract management solutions and more recently extending solution coverage to include the entire source-to-contract process.

Companies in this article