Supplier Risk and Compliance Management in Practice: Part Two


We look at supplier risk standards, monitoring, and how to do supplier risk and compliance under tight budget constraints.


The ability to manage supplier risk and compliance has become a critical competence for organizations. In Part One of this article, we looked at what is driving the need for supplier risk and compliance capabilities, and how it fits into the sourcing and supplier selection processes. Here in Part Two we look at supplier risk standards, monitoring, and how to do supplier risk and compliance under tight budget constraints.

Supplier Risk Standards

Just as a company should publish a supplier code of conduct, it is important to explicitly tell suppliers what is expected of them to make sure that their business is resilient. This could include many of the items mentioned in Part One under Sourcing / Supplier Selection, including guidelines for business continuity, security and hiring practices, and so forth. The practice of publishing Supplier Risk and Resilience Standards is still not as widespread as it should be (see Figure 6).

Source: ChainLink Research

Supplier Risk Monitoring

It is important not just to assess risk when you select a supplier, but to continuously monitor for changes to get an early warning that there may be issues that need attention. The earlier the warning, the more time a company has to respond to issues, and the more and better choices it has on how to respond. Monitoring should be based on a combination of:

  • Publicly available data — such as credit worthiness, how quickly the suppliers pay bills, lawsuits, court actions, earnings, number of people on payroll, etc., all of which can be acquired from companies like D&B and mined from publications and the web by bots (software agents for data mining and monitoring).
  • Qualitative supplier performance data — feedback and evaluation of suppliers by the people within the buyers’ organization: buyers, engineers, users, manufacturers, quality personnel, etc. Gather direct intelligence on how the supplier is performing relative to their peers, from the individuals who are interacting with those suppliers.
  • Quantitative supplier performance data — having a centralized database that pulls actual performance data (e.g. on-time delivery, quality, etc.) from the companies’ various execution systems.
  • Ongoing Audits — for critical suppliers, risk assessment and auditing should be done at least once or twice a year, more often if warranted. Some companies do event-triggered audits if they see other trouble signs. Auditing is expensive to do. Our research found that many companies don’t do it often enough.
    (see Figure 7)
Source: ChainLink Research
Figure 7 – Rate of Risk and Resilience Audits

SRCM on a Shoestring

Supplier risk and compliance managers should lobby for the resources they deserve. But they also need to manage with the resources they have. In many firms, the same person that does the buying also manages the supplier, the risk, and in some cases compliance requirements as well. With limited resources, it is important to get the most bang for the buck. Firms need to consider the value of each activity vs. the cost of collecting the data and managing the risk.

  • Prioritize, prioritize, prioritize
  • Simplify questionnaires and data collection — focus on the most important data
  • Leverage Third Party Data, Platforms, and Services

Prioritizing by Criticality

It is important to focus limited resources on the most critical suppliers. Almost everyone has some way of classifying suppliers (A, B, C) according to their ‘importance.’ In our research, we probed what makes a supplier critical. For many of our respondents, a supplier is critical if the buyer’s firm cannot ship product without the component or material that the supplier provides AND one or more of these are true:

  • It is difficult to find an alternative supplier with the same capabilities.
  • They supply highly engineered materials with few sources. In these cases, it may be necessary to get alternative sources pre-approved by engineering.
  • There is a high cost of changing suppliers, for example the supplier has built custom tooling for your components or has gone through a complex certification process. Here, it may be worth investing in backup copies of custom tools.
  • You have a sophisticated relationship with the supplier that took time to develop — this might include engineering, manufacturing, quality, and other dimensions.

Leveraging Third Party Services, Data, and Platforms

It is impossible to go it alone. Done on your own, audits are expensive. Collecting information is expensive. Building systems is expensive. For these reasons, companies should seriously look at third parties to conduct audits and collect information, and for the systems and services you require. It requires a huge amount of data from many sources to successfully manage and monitor supplier risk and compliance. As companies grow, it is critical that all this information is integrated together on a common platform. There are some mature and very capable platforms for managing supplier information, risk, and compliance. CVM Solutions, a Kroll Company, is an excellent example.

Taking the Next Steps

To get out of the Rodney Dangerfield mode (“I don’t get no respect”), those who have responsibility for supplier risk and compliance need to find ways to express the strategic value of their function in terms that the board and C-level understand. This can be showing data on the impact of disruptions on shareholder value, sales, and operating profits, as we mentioned earlier. It can include protecting the firm’s brand — reminders of what having a rogue supplier can do to your reputation. Here are some steps that can be taken to move your company forward:

  • Create a business case for investment — Use hard data and brand protection to make your case.
  • Prioritize!! — Start by working with the resources you have. Try to measure the criticality of suppliers and the value of the information you are collecting, so that you can focus on where the value is.
  • Put processes and systems in place — Supplier risk and compliance management is an ongoing process, not a series of one-off projects. Steps should be taken to put the processes and systems in place to institutionalize it and do it right. It doesn’t have to be a big initiative — take it step-by-step.
  • Involve the right team — Different functions have a stake and role to play including sourcing, compliance, manufacturing, and potentially others such as engineering, finance, and logistics.
  • Measure progress — Try to measure the frequency, impact, and cost of past disruptions and supplier violations, and then set milestones for improvement. Use this to show the return on your investments in these capabilities.

Supplier risk and compliance management is a critical function. Done right, it can finally get the respect it deserves.

See also our Supply Chain Risk Management library.

To view other articles from this issue of the brief, click here.

Scroll to Top