Enhancing Procurement Value with Risk Management

Expanding beyond a one-off exercise of basic supplier due diligence and screening of financial risks, supply risk management today includes a broader set of activities.

They include identifying, evaluating, controlling and the continuous monitoring of a much more extensive set of risks and risk domains for both direct and indirect spend. 

“Simply put, it means procurement teams are taking action to mitigate or bear the inherent risk in third party relationships. Today, there is even an ISO standard – ISO31000 – for those seeking principles, process and guidance on the topic,” explains Nicolas Walden, Associate Principal and UK and Europe Practice Leader, Procurement Advisory at The Hackett Group.

Emphasising that risk management activities should be undertaken early in the process of evaluating whether to do business with any third party, as well as reviewed periodically at least annually, or when a significant event occurs, The Hackett Group encourages companies to focus their efforts on the most critical suppliers and supply chains. 

“Risk management can be the difference between success or failure as modern procurement teams become responsible for all third party relationships,” says Nicolas.  

Echoing Nicolas’ thoughts, Jack Macfarlane, Founder and CEO of DeepStream, explains that “teams must be proactive and evaluate the problems that might occur when acquiring goods or services, or working alongside external suppliers, to build effective strategies to minimise their impact. 

“Once any potential risks have been identified, they must be evaluated to assess their likelihood and strategies should be developed to address them or minimise their impact should they occur”.

Understanding the risks in procurement

Some label the 2020s as a ‘VUCA World’ – one  that is much more volatile, uncertain, complex and ambiguous. Procurement teams are broadening their set of risks and risk domains. The Hackett Group encourages teams to consider the eight risk domains:

1. Supply chain
2. Information security
3. Physical and environment (including geopolitical)
4. ESG and sustainability
5. Financial
6. Regulatory 
7. Quality
8. Reputation.

Vicky Kavan, Director, Procurement and Purchase-to-Pay Advisory at The Hackett Group, gives an example of this from both a manufacturing and services company perspective: “if you are a manufacturer, the most critical risk domains include supply chain risk, financial and information security. This means topics like scarcity and shortages of supply, logistics and shipping disruption or anything extending lead times and cyber security will be in focus.

“For services companies, the most critical risk domains are information security, regulatory and financial. Key topics are therefore cyber and data security, concerns about potential data and GDPR breaches, health and safety, anti-money laundering or bribery and corruption, and compliance with specific regulations.”

Vicky highlights how the current disruptions in the Red Sea are leading to increased shipping rates and disruption to the supply of goods along the Asian-European-North American logistics routes, he also addresses that nearly all companies have felt the effect of shortages of semiconductors or other scarce commodities, components or parts because of the Russia-Ukraine war.

“Both services and manufacturing companies tell us they are increasingly concerned about geopolitical risks and, when asked to expand further, they often highlight the risk of further war, shipping and logistics disruption, and government elections. This year is unique and historic in that there are 64 countries voting to elect a new government across all regions of the world,” she adds.

Ensuring strategic thinking and driving procurement value 

While risk can never be reduced to zero, it can be continuously reassessed, based on the organisation’s activities, sensitivities and risk tolerance. “Without appropriate risk management, an organisation exposes the lives and livelihoods of its people – and often the wider public – to an unacceptable level of jeopardy,” explains Andrew Elvish, Vice President of Marketing at Genetec. 

He adds: “The reality is not everything is in our direct control. In a large organisation, things can and will go wrong on a regular basis. A key KPI for risk management professionals isn’t always how many times things went wrong, but how resilient they were in the face of adversity.”

With effective risk management, organisations can benefit in a number of ways. “The benefits that are most likely to catch the eye of senior management are those that protect revenue and margin. Other benefits may support regulatory compliance and brand protection, thereby avoiding significant fines or unwanted end-customer pushback,” says Nicolas.

Using automotive manufacturer Toyota as an example of a well-established supply risk management programme, Nicolas says: “Toyota, for example, learnt from the Fukushima disaster in 2011 and changed its management philosophy as it related to holding stock and waste. The company opted to maintain a 36-week supply of semiconductors for all crucial supply chains. 

“As a result, in 2020, while other automotive companies issued profit warnings, this company managed to sustain its operations longer. Consequently, it generated billions in additional revenue and profit margin relative to its competitors. It wasn’t until later in 2020 that production was severely impacted and Toyota in turn had to announce its own profit warnings.”

As such, organisations should focus on preparing for significant risks in the most critical supply chains. “Agility can be created through creating mitigation and response plans ahead of time. Conducting ‘what if?’ simulations and ‘war-gaming’ exercises allows teams to prepare and practice, enhancing their confidence and proficiency. These activities ensure that plans will be effective and provide a secure environment for learning valuable lessons,” adds Vicky. 

Best practices to keep risk management strategic and valuable:

• Seek guidance from leadership or corporate risk and compliance teams on the important risk domains that should be continuously assessed and monitored
• Focus time and effort on the most critical supply chains and most significant risks
• Assessing and quantifying the monetary impact of spend, revenue, or margin at risk is not always easy to do, but when done correctly is effective at holding the attention of senior management.

However, Vicky stresses that the reality is businesses can be focused on the short-term. “This can result in companies justifying investments in supply risk management only after suffering significant losses from a major event, such as a factory fire or cyber attack. Moreover, companies often struggle to maintain consistent investment in supply risk management, allowing their preparedness measures to degrade over time.”

Echoing Vicky’s comments, Andrew adds: “As such, effective risk management can help risk procurement to see the bigger picture and avoid the trap of taking short-term decisions that are not in the best long-term interests of the business.”

Technology can lend a helping hand

In the last four years, the procurement technology – procuretech – marketplace has seen a rapid growth in the development of tools to support supply risk management. 

“To manage supply risk effectively, teams will need a tool to automate, control and govern the process of managing supply risk. For teams dealing with large-scale supply bases, especially those with multinational operations, tens of thousands of vendors and multiple complex supply chains, automation is essential,” explains Nicolas. 

He adds: “It enables the efficient execution of risk management activities. Additionally, robust data and information sources are necessary to drive assessments and quantifications. These could include supplier ratings, geographic risk assessments, industry risk ratings and other relevant data points that inform the risk management process.”

The technology market then further breaks down into dedicated segments for global risk and compliance (GRC) tools, information marketplaces and visibility technologies.

“However, it's important to note that while technology is a valuable asset, it cannot replace the need for substantial investment in time, effort and data analysis. Effective use of these tools requires dedicated energy to fully manage supply risks,” concludes Vicky.

******

Check out the latest edition of Procurement Magazine and sign up to our global conference series – Procurement & Supply Chain LIVE 2024.

******

Procurement Magazine is a BizClik brand.​​​​​​​