11 Jul 22

How to address supply chain risk – the risk management journey

risk-management-journey-sDespite growing stakeholder pressure, many companies still do not have an understanding of the compliance, potential risks and impacts of their supply chain. We believe that companies are on an ever-maturing supplier management journey. The ultimate goal of this journey is to integrate sustainable supplier management across their business, in order to create more transparent, responsible and risk-free supply chains.

Supply chain risk can be classified as operational, financial, regulatory, and reputational. These are very strong drivers for the adoption of more sustainable supply chain practices. The key risk that ensures action at all levels of an organisation is financial, and it could be argued that operational, regulatory and reputational risks all impact the bottom line if they are not realised.

The risk management journey

When we talk about the risk management journey, what we mean is that all types of risks are considered and addressed at each stage of the supplier engagement and management process. At every stage of this journey, risk is a key driver for improved performance, and as such should be incorporated into all processes and decisions in order to unlock the strategic and operational benefits of more symbiotic supplier relationships.

At Greenstone, we provide a sustainability supply chain software solution – SupplierPortal - and supporting services to enable responsible supply chains. When we engage with our clients, we look to make engaging suppliers and identifying and remediating risk as simple as possible. As with any project, breaking it down into manageable work streams helps simplify it and ensure continual progress.

We break the project down into the stages of implementing our supply chain management software solution SupplierPortal and ensure that risk is fully addressed and discussed at each stage. Very simply, the risk journey is an acknowledgement of the potential risks that you should be aware of at every stage of setting up an effective supplier management programme.

Below we detail these 5 key steps of the risk journey. For each step, we outline the specific risks the step addresses and practical tips on where to start. This is exactly the way in which we work with our clients during the implementation of our supply chain management software solution SupplierPortal – ensuring we address risk at every stage.

 

Supplier engagement

The risks:

The risks that organisations are exposed to through ineffective supplier engagement are significant. Without a successful supplier engagement phase, you are not going to obtain the data that creates transparency and drives the decisions. You also only really get one opportunity to carry out this process properly, as you don’t want to frustrate suppliers with continued failed and half-hearted engagement attempts.

Other material risks at this stage are depressed response rates and supplier churn. A failure to achieve desired response rates means swathes of incomplete data and unknown risks.  And similarly, a process which doesn’t account for new suppliers and removes old suppliers results in the same information gaps and confused data sets.

Where to start:

One of the most common questions asked by organisations engaging their suppliers for the first time, is “who should I target?”. Well firstly, it is worth reviewing and understanding your supplier list. It can become apparent with a deeper look that a supplier list is not up to date and accurate, many listed suppliers are no longer suppliers and from our experience, the actual list is anywhere between 40 – 70 % smaller. This makes an enormous difference when planning your approach, as we would always argue that from a risk perspective you need almost the entire supplier coverage.

How we can help:

We have multiple clients who distribute their supplier code of conduct through SupplierPortal. These are mandated for all suppliers, and so there is really no reason why you should not be looking to achieve basic compliance across all of your suppliers. Sadly, the risk to your business is unlikely to conveniently sit within 20% of suppliers that represent 80% of your spending. Therefore, you need to avoid a lack of meaningful coverage, and if you do try a different approach then don’t take a simple cross-section of suppliers but apply geographical, legislative and spend filters to identify ‘high’ risk suppliers. Always think is your approach well thought through and defensible to an auditor.

 

Data requirements and data quality

The risks:

Hand in hand with supplier engagement goes data requirements. Risks at this stage include poor response rates, and out-of-date information, again leading to a lack of meaningful data. You also risk creating incomparable, irrelevant or inaccessible data which limits its utility.

Where to start:

Whilst identifying who your suppliers are and what categories they sit in, you also need to understand what it is you are going to ask them. The information you require from a supplier will undoubtedly be linked to their geography and the service they provide and as a result of these, the legislation or certification requirements that apply. If correctly distributed to suppliers, your data sets should be relevant and therefore be comparable within your supplier categories. You should also be careful not to ask for any information that you will not use. The content can and will evolve over time, so there is no need to overburden a supplier in phase one of your strategy.

How we can help :

All of our clients use SupplierPortal to engage suppliers on multiple topic areas. Generally speaking, there is a need for common information across all suppliers e.g. code of conduct and policy-related e.g. sustainability content, with some specific content from certain supplier categories.

All of this can be managed using supply chain software with planning and an awareness of how you want to use the information you are gathering. If you have not thought about how you wish to access and utilise the information which you have gathered, then you may not understand if you have the correct systems and processes in place to produce effective results.

 

Identifying supply chain risk

The risks:

Too often suppliers are engaged, information is gathered and then nothing is done. The effect of this is twofold, suppliers can become disenchanted with the process and believe they have wasted their time, which can affect ongoing compliance. Perhaps even more importantly, however, is the fact that risks remain unidentified and unaddressed. Not only this but you risk legal culpability by having asked the question of the supplier but having done nothing about it.

Where to start:

You need to clearly understand what constitutes a high (or multiple categories) risk response and a non-compliance. A non-compliance is often simple, such as a policy or certificate which has not been provided. However, when it comes to an area like labour rights or forced labour, it could be that response, or a combination of responses, are indicative of risk and should be investigated further. Understanding this before you review the data for the first time will streamline the process and enable more effective automation of the data analysis.

How we can help:

Naturally, the challenge has always been to find the resource to continually evaluate suppliers. However, this is where software tools can provide automation both to immediately assess a supplier’s response and to also monitor their performance on an ongoing basis. This enables central teams to deal with exceptions rather than manually reviewing each individual response. Software is never a silver bullet though, and that is why we put so much emphasis on how you engage suppliers and what you ask them to create meaningful data sets.

 

Remediating and resolving supplier risk

The risks:

It is one thing to create a robust and efficient supplier review process, but it is another thing to act on it. The ability to mitigate and remediate risk across your suppliers is what we have been building towards throughout this risk journey.

The obvious risks in not being able to do so are that you have known risks that remain open, and you continue to use suppliers that remain non-compliant or do not meet the standards expected of your organisation, your customers and your investors. Not only this but the failure to effectively remediate these risks undermines belief in the value of the process and is something that will be picked by auditors.

Where to start:

The challenges at this stage relate to communication and scale and the difficulty of combining the two. You need to engage individual suppliers in dialogue on the risks that have been identified, create an action plan, set deadlines, and track the remediation process. As with the identification of risk, this is a process that consumes huge amounts of resources if it cannot be automated. Once again the capacity to do this effectively is increased by good planning around what information is gathered from which suppliers, and clearly identifying what constitutes a risk.

How we can help:

We have touched on the need for central teams to only deal with exceptions, and in this way, a large number of suppliers can automatically be reviewed using software and the risks identified. However, when you are dealing with large volumes of suppliers the number of exceptions i.e. risks and non-compliances can still be very large.

Again automation of the process is key. Our clients utilise our risk management tool to automatically create actions for suppliers that have triggered defined types of risk. These actions are sent to suppliers with automated notifications, deadlines, and direct messaging services streamlining the process. The key is that a small team can manage the supplier action plans by clearly understanding what activity needs to happen in the system at any given time.

 

Ongoing risk management

The risks:

The final piece of an effective supplier management programme is to ensure that the process that has been put in place for engaging suppliers (especially new suppliers), distributing relevant questionnaire content, reviewing data, and remediating risk, is fit for ongoing use.

The key risk of not having an ongoing process in place is that the data evolves. Supplier responses change over time and you need to be aware of this, time-critical documentation can expire, and new suppliers, come on board and need to be put through the same review process. All of this requires a continual review of the data and ideally automated notification when new exceptions occur.

However, perhaps one of the key risks is new legislation. The risk is twofold. Either you are unaware of the legislation which opens up a clear issue of compliance, or your process is not flexible enough to accommodate changes in content, supplier responses and so on.

Without a clear understanding of the status of your suppliers at any given time, the potential for risks to go undetected increases exponentially. Also, if you do not have an efficient ongoing process, instead of dealing with a manageable amount of exceptions on an ongoing basis, you are stockpiling issues that will require a heavy lift further down the line.

Where to start:

Hopefully, if you have addressed most of what we have covered so far when implementing your supplier management process then this stage is about drawing on all of that good work.

Those areas of the business that have contributed to questionnaire content, should be aware that any changing legislation should be fed into the process. If it is urgent to get updated supplier responses then you need a simple way of communicating this to suppliers.

If you have been running the supplier review process as a one-off then the resource used may not be prepared for ongoing workloads. So if you have had a successful first phase of data review, this same process should be deployed on an ongoing basis.

From the supplier perspective, you need to ensure that supplier information is continually updated and doesn’t become meaningless.

How we can help:

Greenstone works with its clients to build long-term supplier management processes that address and reduce risk, both now and in the future. As discussed in the introduction, we recognise that clients are on a journey and therefore the requirements change over time. This could be a result of internal drivers or external factors such as legislation.

We ensure that the software put in place can evolve with them. This means that content can easily be altered, response frequencies can be set for suppliers, and importantly automated analysis and notifications continually drive up-to-date information.

Greenstone works with one of the world’s largest banks and financial services organisations, operating in over 80 countries. It provides personal, private and commercial banking services as well as corporate and investment banking. Greenstone worked with the bank to review the information currently gathered directly from suppliers, and to convert the Supplier Ethical Code of Conduct into a questionnaire format. Read more about the challenges and discover the results by downloading the project case study.

Greenstone enables you to engage your suppliers through its award-winning supply chain sustainability software and support services. SupplierPortal is a supply chain management software solution providing your business with transparency and compliance across your entire supplier network.

Explore: Understand the impacts and improve the transparency, of your supply chains - visit our content library focused on supply chain & responsible sourcing.

 

SupplierPortal