These days, global businesses find themselves faced with challenges and opportunities that few would have foreseen a decade ago. Increasingly, customer and supply bases are more globally distributed and dispersed, stretching supply chains further and faster. The drive for cost savings has separated suppliers geographically from their buyers and resulted in increased outsourcing and offshoring activities. Regulatory requirements have increased external oversight. Demands for improved diversity, environmental sustainability, and alignment with corporate social responsibility goals have added costs and complexity. And supply chain strategies such as “just-in-time” and “lean” have shortened delivery windows and driven inventory out of the supply chain, which has in turn eliminated the safety net of “just-in-case” inventory.

Put simply: Modern supply chains now run substantial risks of performance failures or shortfalls.

Historically, supplier risk management has represented the processes that a company employs to limit unforeseen supply disruptions, and to guarantee the supplies needed in sufficient quantity and quality to produce and meet the demand for its end products or services. The current business environment has expanded this definition to include activities that protect the business from supplier events that can impact the company legally, financially, and from a brand perspective.

Similarly, supplier risk management is no longer solely the domain of manufacturing companies and the concerns are not limited to material or commodity purchases. In the United States, approximately 80 percent of the nation's economy is driven by services industries. Companies are increasingly outsourcing service functions such as information technology, payroll, and customer-facing services such as call centers and technical support. Supplier risk management is critical for the services supply chain as well.

The core business value of supplier risk management becomes even clearer in light of the recent headlines about customer dissatisfaction with offshore call centers, costly recalls of toothpaste, pet food and toys, and the damage that those issues caused to the brands of several well-known companies. And because the impact of supplier risk has extended well beyond sustainable supply, CEOs and chief financial officers (CFOs) have become increasingly focused on reducing such risks. Nevertheless, many companies still are not doing enough to actively address supplier risk management. Even the companies that believe they have robust risk management policies in play will likely find big unexpected challenges ahead. This article will present some practical approaches for mitigating supplier risks in future.

An April 2008 report from risk advisory firm Marsh Inc. and Risk & Insurance magazine states that nearly three out of four risk managers say that their company's supply chain risk levels have increased since 2005.¹ The report, titled “Stemming the Rising Tide of Supply Chain Risk,” says 71 percent of risk managers report that the financial impact of supply chain disruptions has also increased. Not one of the 110 respondents rated their company as highly effective at supply chain risk management; nearly two-thirds described their effectiveness as either “low,” “no formal process to address” or “don't know.” The typical supply manager estimates that just 25 percent of his or her company's end-to-end supply chain is being assessed annually for risk likelihood and impact on overall risk.

A separate report, released recently by AMR Research, found the United States and China are the regions that present the most supply chain risk for manufacturers. The United States was the top geography cited for supply chain risk at 35 percent, with China at 28 percent, and the Middle East and Africa at 12 percent.²

The problems speak to businesses' lack of a holistic approach to supply chain risk management; corporations have traditionally allowed risk management to take a back seat to cost, service, and other company priorities, according to Beth Enslow, Marsh's senior vice president of supply chain risk management practice.

Clearly, there are factors that motivate a company to spend time, money, resources and effort on supplier risk management. Many of these factors appeal directly to the strategic objectives of the CEO, CFO, and chief marketing officer. For example, on the financial front, it is almost always less expensive to prevent a significant risk event than to pay for its consequences after the fact.

Then there is the issue of the company's reputation and its brand equity. These days, supply chain snafus “go public” as soon as they occur. No manager wants his or her company to be the next one cited in the popular press for issuing product recalls or otherwise announcing the results of supply chain problems. Some elements of supplier risk management are counter-intuitive. We have pinpointed three areas where that is the case:

1. Amount of spend does not matter. Typically supply management organizations sort their suppliers by descending dollars and focus their attention on the top 20 percent of the suppliers that make up 80 percent of the spending. However, low dollar spend suppliers can be a source of significant risk exposure. An inexpensive hose on a large piece of construction equipment can cause the equipment to fail. Theft or loss of customer data by a small information technology (IT) services provider can cause irreparable damage to a bank's brand.

2. Returns on risk management investments can be tough to measure. Selectively and thoughtfully mitigating risk will not provide a benefit if the risk event doesn't occur. Purchase of a backup power system is only of benefit if a power outage occurs. Having redundant equipment spread across multiple locations provides a financial return only if the equipment fails.

3. It's very likely that you will not be fully prepared for some risk events. Even the most successful risk management programs can only reduce risk, not eliminate it. The value of a supplier risk management program has to be measured on a relative basis. Does it reduce the number of risk events, and if so, to what degree?

Unfortunately, many companies still have no formal supplier risk management programs in place. In effect, they are flying blind. When problems arise, they may view themselves as the victims of bad luck, substandard suppliers or unfavorable circumstances. Two stories illustrate the point:

A medical device manufacturer produces a monitoring device to measure and interpret a number of patient vital signs. The device uses custom-designed tubing that comes into contact with the patient during measurement. While the cost of the tubing is relatively low, the supply chain risk implications of this material are very large. The company found out just how high this risk was when operating problems at its primary supplier led to serious delivery delays. As a result, the device manufacturer faced the challenges of switching over to an alternate supplier that could meet the necessary product performance requirements—a typical effect with any non-standard component in such circumstances. However, the specialized use of this material in a regulated product introduced other substantial risk factors.

First, since the tubing physically touches patients, it has to meet strict biocompatibility requirements from the U.S. Food and Drug Administration. These requirements are the responsibility of the device manufacturer. Therefore, the manufacturer had to scramble to identify tubing suppliers that were proven to be qualified to biocompatibility standards. Second, since the end product—the medical device—performs critical functions for patients, the manufacturer required that prospective suppliers could demonstrate stringent lot-tracking capabilities. In other words, lot traceability became a 'must-have' sourcing requirement.

So the challenges of satisfying performance, biocompatibility, and lot traceability requirements all came together to introduce a much higher level of supply chain risk than initially noted by the medical device manufacturer. The subsequent product delivery slowdown hurt the company's financial performance. Although the device maker pointed to the supplier as the core problem, its own managers were at fault for not effectively assessing risk and putting the proper risk mitigation strategies in place. All of the supplier risk problems were predictable—and therefore avoidable. If the manufacturer had held additional inventory of this low-cost item and/or qualified a second source of supply prior to the delivery issues, it would have experienced little or no financial penalty or supply chain disruption.

Similar factors were at work when a major construction company used its request-for-proposal (RFP) process to identify and contact a number of other companies to submit lump-sum bids for engineering and design work. Although the work requirements were of moderate technical difficulty, all the potential suppliers receiving the RFP were pre-selected by the company as being sufficiently qualified to perform the work. Upon receipt and evaluation of the proposals, the supplier with the lowest price bid was chosen to perform the work. When asked why its bid amount was so low in comparison to other bids, the supplier stated that it currently had excess capacity and wanted to keep its workforce busy. At that point, a red flag should have gone up. Prior history should have alerted the construction firm to the fact that when one supplier has a significantly lower bid than the rest of the competition, problems are right around the corner. But, since the firm's management team thought they had solid knowledge of this supplier and because they were motivated to capture more cost savings, they chose the low bidder.

Things did not progress as planned. The construction project was dogged by a series of delays and quality problems. Investigation of the issues showed that the supplier was cutting corners with its own processes and inappropriately handing off work to subcontractors that it should have performed itself. Although the construction firm pointed to the supplier as the root cause of the supply chain issues, it was its own worst enemy. Why? Because it ignored clear signs of danger, absorbing a higher level of supply chain risk than intended and doing little to cope with it until it was too late. In hindsight, the firm should have chosen another supplier or modified its approach with the troubled supplier. The necessary risk-mitigation steps would include closer monitoring of progress, greater visibility into the supplier's supply base (including subcontractors), and increased contingency planning to adapt to potential problems.

In each of these cases, the company made no attempt to formally assess the supplier risk or develop a risk mitigation plan, even though the potential for failure was real and the impact would prove to be significant. The risk events each had warning signs that were ignored and solutions that could have been enacted relatively easily prior to the risk event to either eliminate or significantly mitigate the risk. The companies had only themselves to blame.

Since most companies of any size have thousands of suppliers, it is impractical to suggest that each supplier must go through a rigorous supplier risk assessment. One approach is to develop categories of risks that can be applied to segments of the supply base. Generally, there are three major categories that need to be identified and managed: Industry/commodity risks; geographic risks; and environmental risks.

1. Industry/Commodity Risks. These risks are associated with an entire industry or commodity group. They include factors such as quality, environmental, safety, commodity and labor shortages, price fluctuations, and supply/demand imbalances. The steadily increasing cost of commodities such as oil and gas is one such risk with which most companies can easily identify.

One high-tech company applies “category risk” thinking to management of the thousands of external contractors it hires for tasks ranging from cafeteria and warehouse labor to technical support. Instead of trying to identify individual risks by supplier, the company has identified the major risk areas for each of eight contractor categories. Although some of the categories share requirements—safety training and understanding the company's harassment policies, for instance—each has unique requirements in areas such as technical certification and qualifications.

The high-tech firm's focused approach has addressed a large number of risk issues in a relatively streamlined fashion and significantly lowered its supplier risk in areas such as safety and environmental performance. The company went from five full-time staff managing the old manual process to a part-time role for one procurement analyst to maintain and update the Web site over time. Compliance with corporate standards went up tenfold.

2. Geographic Risks. Geographic risks are focused on a particular country or region, and they include political issues, infrastructure difficulties and currency fluctuations. Understanding the risks in the emerging markets of China and India is clearly important for today's global companies.

One energy industry company successfully mitigated its geographic risk when it was discovered that several of the services it was outsourcing in order to reduce costs were being moved to low-cost countries such as India. The company was buying services in areas ranging from human resources and customer call centers to accounting and IT. Its geographic risk assessment identified India as having significant risks in infrastructure and labor issues, including wage inflation and retention.

The company went ahead with moving a significant percentage of the designated work to India, but it selected only service providers with a global network. That way, any disruptions could be mitigated by moving work to centers outside of India should any problems arise. The approach paid off recently: When two communications cables in the Mediterranean Sea were accidentally cut in January 2008, the energy company experienced no slowdown or interruptions in Internet or phone service to India because its Indian providers were using their global networks to maintain uninterrupted services.

3. Environmental Risks. Risks such as avian flu, wars and natural disasters are generic to the global economy.

As risks are identified, they should be evaluated along two key dimensions: probability of occurrence and expected impact (see Exhibit 1). Although there is no universal catalog or table for pinpointing the probability of occurrence or quantifying the expected impact of a particular risk event, it is imperative to get a wide range of data from a variety of experts within and outside your company in order to make estimates. Industry/commodity experts, economists, risk management experts and trade publications are good places to start when building these estimates.

The greatest supplier risks are those with a relatively high probability of occurrence and a large expected impact. A risk rating system allows companies to compare potential risks against each other in order to prioritize them. The ratings can take the form of simple 1-10 scores using “apples to apples” comparisons. Sourcing from a reliable supplier in your home country has a low risk rating of 1; a 10 goes to sourcing from a politically volatile country 8,000 miles away and with a poor track record of delivery and a shaky currency. ”

The categorization and rating of supplier risk discussed above are direct inputs to the sourcing process. Since the sourcing process is the domain of supply management, this is where supply management makes the risk management process actionable. If, for example, we have identified food contamination as a risk, this is where we need to tell the supplier what type of testing and documentation we expect and what types of controls we expect throughout the shipping and distribution system. We need to figure out how we are going to evaluate whether the supplier has these fail-safes in place to guarantee the integrity of the product and how we will measure them over time. Supplier risk management is critical throughout the sourcing cycle, as depicted in Exhibit 2.

Starting with supplier qualification, the risk management approach moves on to focus on monitoring of the supplier's performance and then to a collaborative phase in which both parties work toward minimizing supply chain risks.

There has been an increasing need to qualify suppliers around environmental, fair labor, financial and health and safety issues. Some leading global manufacturers facing pressures from government, non-profit organizations, and customers are pushing suppliers to commit in writing that neither they nor their core partners are involved with any inappropriate or unethical business practices. In the financial services industry, regulations such as Basel II and Sarbanes-Oxley are forcing banks to push initiatives that assess supplier risks. And more and more businesses are demanding that suppliers have active plans to become more environmentally friendly.

These factors are driving leading companies to develop centralized, systematic, and readily accessible records of suppliers, products and verifiable certification of each supplier. Technology plays an important enabling role in certifications because it gives supply chain managers good visibility of supplier performance and compliance. With the proper technologies, suppliers can self-register and report their certifications. In the supplier qualification process, scoring is done to assign ratings to suppliers against criteria such as corporate social responsibility. A supplier risk database can provide a searchable repository with supplier profiles and scorecards, as well as a documented audit trail to show that the supplier has met the required certifications.

Performance monitoring is not simply something that should be done to comply with regulations. The practice helps ensure the strength and safety of the supply chain and leads to better supplier development and collaboration. Monitoring also identifies potential risks in supplier performance and compliance and makes it easier to identify problems before they occur.

Supplier performance monitoring makes it possible to set baseline goals, to tie those to performance scores, and to create alerts if those goals are not met. It also means that companies can identify not just when a target is missed but whether key milestone dates are not met, which would flag an impending problem. Monitoring also allows suppliers to provide feedback to the supply management organization in order to enhance collaboration. Suppliers can monitor their own performance against company goals and objectives. This type of feedback creates a foundation for supplier collaboration.

Supplier collaboration goes beyond the symptoms of the problem to determine its root causes, to mitigate and help eliminate future risks, and to maximize the supplier's value. Supplier performance management (SPM) technologies give companies the tools to work with suppliers to help them improve. Technology enables automation of joint work processes, and it automatically links project steps and certifications as necessary. SPM technology also provides a uniform mechanism for providing feedback throughout the development process, which lowers the risks of miscommunication of critical elements such as specifications and engineering changes. Just one brief example: A leading global aerospace manufacturer used a joint project management tool to work in harmony with hundreds of diverse suppliers, helping cut its overall product development cycle times by more than 50 percent.

Development of an effective supplier risk management program proceeds along five key steps:

1. Ensure the Right Focus. Step one in developing or evolving a supplier risk management program is to prioritize the focus. What are the organization's objectives for identifying and mitigating risks? How will the organization benefit by doing so? How can supply management help drive the risk management agenda?

2. Engage Stakeholders. The supplier risk management agenda should be led by the chief procurement officer. Stakeholders include the CEO, the CFO, key strategic suppliers and partners, and peers in the legal, compliance, health, safety and environmental, and marketing departments. C-level support is critical to a program that intends to truly align supply management goals with the overall business goals.

3. Align Suppliers with the Program Objectives. Communicate clearly and consistently to suppliers about the risk factors to be measured, the rationale for the measurements, and the plan for managing risk over the life of the relationship with each supplier. Collaborate with suppliers by identifying risk gaps and working jointly to find solutions.

4. Capture Immediate Benefits. A program should be geared to deliver immediate benefits, with an achievable objective and clear measurement plan. Early benefits not only deliver value that can then be trumpeted to management, but also gain buy-in from suppliers and the supply management organization to further accelerate adoption and compliance.

5. Leverage Enabling Technologies: Enabling technologies—including e-sourcing, contract management, and scorecards—can help improve the program's efficiency and effectiveness. These technologies can assist in sending consistent messages and defining consistent measurements across a broad supply base. At later stages of development, it will be essential to coordinate and integrate these solutions through a supplier performance management solution.

Supplier risk can never be completely avoided. Companies should view supplier risk in much the same way that a bank views a lender's credit score—a higher level of risk requires a high level of reward to assume those risks. Companies would not typically source to suppliers overseas and increase their risk profiles if the benefits were not significant. Effective supplier risk management can help companies make intelligent choices about these risk and reward tradeoffs. And true supplier collaboration can help minimize risks over the long term.

Getting a supplier risk program to work can be a challenge all by itself. Convincing management to apply employees and financial resources to developing the program will require using arguments that resonate with them. These arguments will certainly include lowering total cost of ownership by having a stronger supply base (for example, safer contractors result in fewer missed days and lower liability insurance costs). The “pitch” should also include benefits such as improved customer satisfaction, strengthening of the brand, and fewer defects and delays.

A best-in-class supplier risk management program requires a company to develop categories of risks, rate those risks, and formally incorporate risk identification and risk mitigation into the sourcing process. Absent such a program, a business is just not properly protected against supply chain disruptions and failures; moreover, its managers lack all the data they need to make sound, balanced decisions. And that should be a matter of great concern to every one of the company's shareholders.