If global supply chain disruption has proved one thing, it’s that proactive preparation to risk, both expected and unexpected, is crucial for an efficient response.   

As a function, Procurement plays a central role of identifying and monitoring third-party risk and solving supply problems.  The extent of an organisation’s actions and reactions to risk is determined by several factors, and the differences between companies can be significant.  Nevertheless, supplier monitoring of some form is necessary to avoid potential pitfalls.   

During a recent webinar with The Smart Cube, our panel discussed their approach to holistic risk management, sharing plenty of tips for Procurement, and examined the role of personnel, technology and tools for interpreting and acting on risk intelligence. 

Watch the full webinar on demand, and enjoy reading the highlights and benchmarking results below. 

 

What is Holistic Risk Management? 

An audience poll, comprising more than 220 procurement professional attendees, initiated this lively webinar and confirmed that supplier risk management activities are happening in the majority of organisations.  The poll results revealing that 33% are at least manually monitoring risk through a programme focused on key metrics for selected suppliers, another 28% have a formal programme that is not fully implemented, and a further 24% manage risk through a comprehensive programme of technologies and execution. 

Live Poll: Do you have a Supplier Risk Programme in place today? 
(Select one option) 

It’s a team sport – involve everyone! 

According to Alex Tassini-Negri, Head of Global Sourcing at Dun & Bradstreet, these poll results align with what she would expect; especially 33% having a manual third-party risk management (TPRM) programme, because she recognises that several people need to be involved in the overall process. 

Although systems, tools and processes can be used to manage risk, ultimately, the insights from all these need to be reviewed and interpreted by a human-being.  She emphasises that everyone throughout the entire supply chain has a role to play in managing and mitigating risk: the responsibility for TPRM isn’t just confined to Procurement, or to Sourcing, or to Legal – it’s a team sport.   

Stacie Lee Peterson, TPRM Strategy & Process Lead at Eli Lilly and Company, goes on to highlight that an organisation’s advancement in risk management will also largely depend on industry sector.  For example, a regulated financial services provider will be more mature in their approach, with formal, fully implemented risk management processes regarding people, technology and governance.  The TPRM maturity roadmap will also be determined by the need to support business activities, including company growth, the size of the company and relative maturity of Procurement.  

In certain industries, such as pharmaceuticals, some of the core business activities are performed by suppliers.  This reliance means it is crucial to select, manage and monitor these third parties in the right way, through people-centred activities involving manual components and live conversations. 

 

Safety first - set good foundations 

A holistic approach to risk management involves an assessment of risks across the whole supply chain, and proactively taking action to mitigate those risks.  Not only does this mean the risks associated with individual suppliers, but also the impact of risks on the whole business. 

Although it’s a broad term that can be viewed from different angles, Stacie explains that for Lilly, a pharmaceutical company, holistic risk management is seen as having two components: 

1. Potential risk – of working with a supplier 
2. Residual risk – that which is left after putting in place mitigating controls as determined by the potential risk. 

The latter incorporates a healthy understanding and acceptance that, no matter what and how sophisticated the processes, 100%-complete risk mitigation is not a realistic possibility.  

Holistically, a foundation is needed to identify and add the potential risks to the TPRM lifecycle; so that whenever incidents arise, people find it easy to adjust and work through the issues.  Stacie’s advice when conducting supplier screening, for example, is to take care not to overreact to potential risk triggers and warnings regarding suppliers.  Instead, it’s better to take a more balanced, multi-pronged approach to collecting information during the due diligence process. 

 

Avoiding that sinking feeling 

At D&B, Alex also reviews risk during the initial stages - by first assessing what’s needed by the organisation, then considering the business and financial impact of making the wrong decision in terms of speed-to-market and overall revenues.   

The approach goes even further, using the concept of risk as a supply chain, Alex proceeds through a TPRM sequence by asking what is the: 

1. Supply risk?  What is the consequence of having no resources, services or goods? 
2. Supplier risk?  What is the contracting risk of partnering with the suppliers from a privacy, legal, ethical, IT security perspective? 
3. Operational risk?  What is the performance from the supplier?  How do we maximise the value of that contracting relationship? 
4. Need for vendor management/supplier management?  Monitoring key performance risk indicators and engagement at quarterly business reviews; talking about what can/cannot be delivered, paying particular attention to the risk of financial default. 

Partnering with the right future supplier is fundamental, if that supplier is to continue to grow with the organisation and be jointly invested in the brand journey.  Alex consistently works through this TPRM cycle to assess risk at every single level and to maintain the most cohesive perspective in addressing risks throughout the programme. 

 

Benchmarking reveals top risks 

Certainly, the breadth and complexity of risk factors being addressed by the CASME membership community has increased significantly during the past three years.  The pandemic has provided plenty of learnings regarding supply chain issues, in terms of gaps in the supply chain, mitigating the potential issues of losing a particular supplier, product or service, and having to find alternative sources of supply and warehouses to accommodate stock. 

This has led to a global trend, as seen by Graham Crawshaw, Procurement Content Director at CASME, of procurement teams seeking more information, at both pre-contract and contract levels, so that they know where to prioritise their risk management efforts.   

CASME’s benchmarking studies have recently shown financial stability of suppliers to be the biggest concern and still the highest priority in avoiding supplier failures due to high inflation, geo-political and recessionary factors.  Legislative issues are the next priority, including factors such as cyber security, bribery and corruption.  Overall, Procurement’s responsibilities have become far more complex and the challenges increasingly complicated.   

The result of a live audience poll reinforces these concerns.   

Live Poll: Which risks are given your highest priority?  
(Select the top three that apply) 

A change of direction for Procurement 

Procurement has the unenviable task of having to manage all these parameters – each requiring a different response depending on the risk and market status.  In 2020, that would have meant avoiding sole-source/single-source suppliers, adding in alternative suppliers to meet demand, and diversifying the supplier portfolio.  Now, three years later, returning with a focus on cost reduction as a result of high inflation, a different approach to efficiency and productivity is required; one that involves consolidating the supply base for cost containment, as well as searching for negotiation, transformational and digitalisation opportunities. 

 

Appetite for risk and ‘start-up’ co-creation 

Despite protocols and safeguarding controls, the pandemic has forced larger organisations to begin engaging with small, possibly risky, start-up innovators. 

Risk is everywhere, and Stacie recommends becoming comfortable with not necessarily monitoring every low-risk supplier.  Establish a risk tolerance level.  Focus on mitigating the risk with the critical suppliers that are core to your business and have the most impact on financial, security and reputational risk.   

Due to Lilly’s pipeline strategy, and a shift in risk appetite, Stacie reveals that she’s been given new opportunities to work directly with innovative start-ups.  For Procurement, this has meant giving much-needed support to these smaller suppliers to build their infrastructure, and ensuring that, without certification/accreditation, the necessary safeguards are in place. 

As she points out, these partnerships are enabling mutual growth that was previously unattainable due to the low-risk appetite of the company versus the high risk associated with those type of suppliers.  For this break from traditional TPRM to become the norm, it’s been important to define and align the risk appetite of the organisation with that of Leadership, and to revisit that on a perpetual basis. 

Adding to this, Alex believes that all organisations now have a huge opportunity for co-creation with these smaller start-ups; although she emphasises the need for the partnership to involve a joint understanding of the acceptable risk to both sides and, more importantly, shared cost ownership.  The burden of risk should not sit wholly with the supplier.  

 

Tools and tips of the trade 

With a multitude of available options, and so many technology suppliers claiming to deliver similar functionality, the market for risk management tools can seem daunting.  Unfortunately, the solutions are generally not as sophisticated as advertised, but that doesn’t prevent investment uncertainty for Procurement. 

Developing a business case 

When considering TPRM investment, and making a business case for the purchase of a software tool, Stacie recommends the following approach: 

1. Let the technology market inform your process design.  Don’t start by designing for future capabilities/wants/needs; otherwise, it will be time and cost-intensive to reconfigure 
2. Instead, assess and understand the available software tools first, and find out whether the core ‘out-of-the-box’ capabilities and process lifecycles will fit your needs  
3. Use what you have learnt to conduct an RFP to select a process tool. 

 

Keeping your eyes open and mind actively engaged 

Additionally, Alex suggests a fundamental approach to monitoring risk that can be achieved by gaining visibility and collecting data through the existing systems, tools and people within your company, such as: 

• Standard reporting tools provided by ERP or procurement system, to gain visibility of spend and suppliers 
• In-house knowledge of Finance/Accounts, to establish current budget data 
• Contract lifecycle management (CLM) system for supplier intelligence 
• Third-party Compliance, Privacy and IT Security teams to augment your data visibility with risk information provided by different tools 
• External tools that give a snapshot view of low, medium and high-risk areas on which to probe and monitor in future. 

Successful risk management is not confined to systems and tools; and technology is not the panacea to monitoring risk.  This was evident by the majority in a live audience poll, which showed us that although 49% have invested in specific technology, it is not yet optimally deployed, and that about a third of the respondents currently have no technology in place.

 

Live Poll: What is the status regarding technology when it comes to risk monitoring at your organisation?  
(Select one that applies) 

Preparing for the unexpected 

As a collective, the panel finally gave their tips for successfully embedding an end-to-end TPRM company-wide solution: 

• Gain executive support for the TPRM programme 
  Leadership sponsorship and advocacy must exist for the programme’s importance to be recognised, and sanctioned so that everyone is involved and responsible in its success 
• Apply a phased approach, with a robust feedback loop 
  Create a risk roadmap that affords the opportunity to test, learn, correct and improve, before adding on more risk domains.  It will build an important feedback loop that leads to better change management 
• Understand the needs of the business stakeholders 
  Develop a solution based on the requirements of internal stakeholders, customers, suppliers.  Focus on the core areas first and expand the activities into others 
• Collaborate with all those involved for mutual benefit 
  Above all else, build relationships within the business and share the workload. 

By assessing potential risks, taking control where possible, and grabbing hold of the roller-coaster’s restraining bar when required, Procurement can be reassured of a relatively comfortable ride.   

It’s impossible to predict the unexpected, but we mustn’t lose sight of the twists, turns, thrills and spills in the journey ahead.  Risk is required for growth and so Procurement needs to feel comfortable with it.  Our advice - keep your eyes open and enjoy the ride!