Supplier Risk and Compliance Management in Practice: Part One
on May 1, 2012
The ability to manage supplier risk and compliance has become a critical competence for organizations. Our research shows why and how to manage and reduce supplier risk--what actually works in practice.
Full Article Below -
Most companies today are heavily outsourced and have suppliers spread out across the globe. Yet firms’ knowledge of their suppliers and the environments they operate in is often limited and out-of-date, crippling their ability to successfully manage the dynamics of their supply base. This has introduced substantially more risk in global businesses. The enormous challenges and vital importance of managing supplier risk and compliance have been made even more evident by the global financial crisis and recent natural disasters, as well as lean business practices.
Supplier Risk and Compliance: Increasingly Important but Under-Recognized
Managing supplier risk and compliance is very important, but unfortunately that importance is often under-recognized. When a marketing executive or engineer does a great job, everyone sees the increase in sales or a great new hit product launched with a big bang . . . and with those successes, the bonuses and praise flow. When a supplier risk and compliance manager does a great job, then what happens is . . . nothing goes wrong. Everything goes smoothly. And most of the time, nobody notices. Of course if they mess up, all hell breaks loose.
It is not so surprising then that our research found that most companies under-invest in managing supplier risk. This is at a time when the need for stronger capabilities to manage risk and compliance are greater than ever. The supply base of most companies has become more global, outsourced, and interconnected than ever before. Volatility in the economy, fluctuating commodity prices, and exchange rates add additional risks. The range of risks goes way beyond just the financial stability of the suppliers (though that is important) as shown in Figure 1, below.
Figure 1 - Numerous Supply Risks
Furthermore, compliance requirements have been steadily increasing over the decades. Corporations have more and more internal compliance requirements. Companies are becoming much more prescriptive and detailed in their supplier mandates in order to run their supply chain and operations more efficiently and smoothly. Compliance manuals for suppliers used to be just a few pages. Now they can be literally hundreds of pages with everything from routing guides, labeling and packaging requirements, shipping and packing, to environmental requirements and more. More companies have supplier codes of conduct, recognizing that the court of public opinion holds them responsible for what happens in their supply chain.
If we look at the broad sweep of history, regulatory and legal responsibilities and compliance requirements have grown more far reaching over time (see Figure 2 below). Driven by public outrage over events ranging from Upton Sinclair’s The Jungle, to bribery scandals of the 1970s, to the Enron scandal, to the subprime mortgage crisis, lawmakers feel compelled to add regulations such as the Meat Inspection Act, the Pure Food and Drug Act, FCPA,1 SOX, Dodd-Frank, and countless others to ensure that businesses behave responsibly. In the EU, where public awareness and concern over environmental issues is more pronounced, they have ETS, WEEE, RoHS, and REACH2 and new regulations on the way, all of which keep getting more comprehensive. In spite of the howls of protest from libertarians and business lobbyists, there is little indication of reversals in these trends towards greater scope and strictness of regulation over time.
Figure 2 – Evolution of Public Policy & Laws: Increasing Rights, Protection, Responsibility
Supplier Risk and Compliance Management (SRCM) is a Strategic Role
The typical CEO is a risk-taker. They (rightfully) get excited about things that will increase revenues and profits. In contrast, they tend to view the management of risk and compliance as a necessary evil, for which they should minimize the costs. It is up to those who manage supplier risk and compliance to show just how vital SRCM (Supplier Risk and Compliance Management) is to maintaining the flow of revenue and profits. This was highlighted in the landmark study by Singhal and Hendricks,3 which showed the dramatic impact of supply disruptions on shareholder value and operating profits (see Figure 3 and Figure 4, below).
Figure 3 – Impact of a Single Supply Chain Disruption on Shareholder Value
By analyzing nearly 1,000 supply chain disruption events, the study found that the stock price fell on average about 25% as the result of each single disruption. Further, the effect persisted and the stock price barely moved for a full year after the event. As seen below, operating income, return on sales, and ROA all fell dramatically.4 These numbers should get the attention of any CEO!
Figure 4 – Impact of a Single Supply Chain Disruption on Income, ROS, and ROA
SRCM managers can use this type of data to elevate awareness and investment in managing risk and compliance. There may also be ROI found for better supplier risk and compliance management through reduction of insurance premiums for policies such as Contingent Business Interruption, Supply Chain Interruption policies, and perhaps FCPA5 insurance, though this is new territory and may take more effort to achieve.
Sourcing / Supplier Selection
Our research found that most companies consider supplier risk during the sourcing process (see Figure 5, below).
Figure 5 – Role of Risk Assessment in the Sourcing Process
However, this can mean many different things. Some of the risk factors that companies consider when selecting a supplier include:
Sole-sourced/Alternative sources—Having redundant sources of supply is one of the most important risk mitigation strategies. When this is not possible, the other risk factors then become even more important.
Financial Health/Viability—Financial reports should be used, but are a rear-view mirror indicator and not always available or reliable for private, overseas firms. In any case, they should be combined with other more forward looking stability and viability indicators, such as quality metrics or performance issues.
Quality Metrics—Metrics for existing suppliers are usually easier to obtain from internal systems. Degradations in quality and performance usually precede degradation in financial viability for a supplier.
Plant Locations—To what degree are the suppliers’ plants exposed to various risks such as natural disaster, geopolitical instability, geographic over-concentration of suppliers, infrastructure risks (power, transport), and so forth.
Switching costs and timeframe—Is there a high level of time and investment involved in switching suppliers? This includes building the technical integration and relationship between the firms, and might include other things like tooling/retooling costs or certification requirements.
Relative Power in the Relationship—Some smaller companies are more comfortable dealing with a supplier that is somewhat closer to their size rather than with a behemoth. If the buyer’s orders represent a material portion of the supplier’s business, the buyer will have more leverage in the relationship.
Supplier’s Business Continuity Policies and Practices—How resilient is the supplier? Do they have the necessary practices and policies in place to avoid, survive, and reduce the duration of disruptions?
Supplier’s Security and Hiring Practices—For suppliers handling sensitive materials and/or intellectual property, what vetting happens in their hiring processes, what is the physical security of their facilities, and do they have specific controls in place (such as separation-of-duty policies).
Exchange Rate Risks—Sophisticated multi-division companies may use natural hedging to reduce their exchange rate exposures. This can play a role in supplier selection, if transactions will be based on the supplier’s currency.
Traceability Systems and Processes—In highly regulated and/or brand-sensitive industries such as pharmaceuticals or aerospace, supplier’s traceability systems may be important. A manufacturer wants to ensure that any quality issues (whether or not they result in a recall) can be traced back to the source.
Social Responsibility Audit—Does this supplier fulfill the supplier code of conduct? What has their past behavior been? Remember, your company’s brand reputation can be damaged by your suppliers’ actions.
Legal or Ethical Issues—Does the supplier have outstanding lawsuits, indictments, or serious complaints?
A typical risk scorecard provides a way to quantify and weigh each of the risks. It may allow adjustments to the weights according to unique needs of each business unit, commodity type, or even individual project. This is especially important for a highly diversified business. For example, the aircraft division may care more about traceability, the consumer products division cares more about social responsibility, and the defense division cares more about security and hiring practices. Some companies set thresholds for each area below which the supplier will not be considered. They may allow for overrides with justification, for example where there is a supplier with very unique critical capabilities. In this case, the company may proceed with that one-of-a-kind supplier who exceeds the normal risk thresholds, but puts in place a specific mitigation plan (in some cases even a redesign of the product to reduce or eliminate reliance on that supplier in the future).
In Part Two of this article, we will look at supplier risk standards, monitoring, and how to do supplier risk and compliance under tight budget constraints.