Supplier risk management in the spotlight

As the world continues to adjust to the “new normal” brought about by global disruption, organizations must consider the lessons learned from the impact of the pandemic on the supply chain. In this case, widespread shutdowns made a sudden, dramatic impact on many suppliers and the availability of components and other materials. Sourcing, procurement and purchasing professionals are often the first responders in such instances. However, the risk management practices in place at an organization determine whether procurement and purchasing staff have the tools needed to adequately and efficiently mitigate supplier risk.

APQC has gathered insights on supplier risk management as part of its Open Standards Benchmarking research focused on procurement. As part of a global survey, APQC asks respondents from various industries to indicate their adoption of key supplier risk management practices. The findings of this research indicate strength in the area of risk management governance, but weakness related to process and enabling technology.

Clear governance

The good news is that in one area, organizations have clearly developed practices for supplier risk management. In 89% of organizations, procurement is responsible for executing operations related to third-party risk management to a moderate or very great extent. Having clear owners of risk management means that this group has the full scope of information gathered by the organization, rather than sharing responsibility with other groups. Another benefit is that, because they are focused on addressing supplier risk, procurement professionals can negotiate risk management terms into vendor and supplier contracts.

As shown in Figure 1, APQC’s research also finds that 64% of organizations have a highly developed risk governance team for procurement processes. For this group, their team, metrics and progress reporting are not only effective, but are also continuously reviewed for improvement.

The 64% of organizations that continuously review their risk governance team, metrics and progress reporting are focused on remaining nimble in the face of uncertainties across the world. Not satisfied with simply having their governance run effectively, they look for opportunities to improve and adapt to the changing business landscape. These organizations can therefore adjust as needed and remain resilient when changes occur or new risks appear.

When it comes to supplier risk management, organizations have clear ownership as well as flexibility and efficiency of governance. However, the maturity of their risk management begins to break down with regard to process and technology.

Developing process

As part of its research, APQC asks organizations to indicate the maturity of their processes to collect and review the business continuity plans of their suppliers. Overall, organizations have room for improvement. As shown in Figure 2, only 21% of organizations are at the highest maturity level, meaning they are not only collecting their suppliers’ business continuity plans, but are also performing mitigations and continuously improving their processes.

APQC’s data indicates that 23% of organizations are still determining their process for collecting and reviewing these plans, and 21% have no process at all. Further, 11% collect supplier plans but do not act on them. A majority of organizations are clearly at a disadvantage when it comes to assessing and addressing the business continuity of their suppliers. These organizations may have plans in place for disruptions directly affecting their facilities, but they need visibility into how supplier disruptions can affect their business.

It is also worth noting that mistakes or lack of planning by suppliers can have a ripple effect. In consumer-focused industries, customers often do not differentiate between a company and its suppliers. A disruption in supply can lead to disapproval and reduced trust by consumers, even if the company is not directly responsible.

The organizations at the highest maturity level regularly perform mitigations based on their suppliers’ continuity plans and continuously improve their process for reviewing supplier risk. For these organizations, it is a matter of when, not if, the next disruption will occur. By keeping an eye on potential risks, these organizations remain flexible against sudden changes.

Technology support

APQC finds that there is a lag in adoption of technology that supports monitoring for supply chain disruptions and capturing risk profiles. As Figure 3 shows, almost two-thirds of organizations surveyed do not have a system for continuous monitoring for and notification of global supply chain disruptions.

Yet many organizations surveyed by APQC lag when it comes to adopting robust risk profile systems. As shown in Figure 4, one-third of respondents are not using one of these systems at all—either because they have no plans for one or because they are in the process of developing one in-house.

As with other risk management efforts, having little to no risk profile data leaves organizations vulnerable in the event of a disruption. Without insight into their suppliers’ operations, these organizations will be much slower to react to unexpected events. Those organizations using a system that supports both proactive and reactive risk management are much better positioned to address risk. Rather than losing time reacting to an issue they could have foreseen, they can address issues before they become problems and focus efforts on shortening response times to
unexpected disruptions.

Be prepared for the future

Although organizations are prepared to address risk from a governance standpoint, they lack the robust technology needed to support risk identification and mitigation. Without a clear picture of potential risks and their impact on the business, organizations are unable to be proactive and lose crucial time when they must respond to a supply chain disruption. If time is money, then these organizations are losing money from their slow reaction.

As shown in Figure 5, the largest group of organizations in APQC’s research take one day to identify affected materials, sites, commodities and products when a supply chain disruption occurs. Nearly 30% of organizations take one week. Needing this much time (or longer) can be crippling for a business.

Procurement has a mandate to take the lead in supplier risk management, but a robust risk management program requires a multifaceted approach. Organizations must collect and track their suppliers’ business continuity plans to ensure that these key partners are doing what they can to address their own risk, as well as meeting expectations set by the buyers.

In addition to risk mitigation through supplier relationships, organizations must adopt technology that can closely monitor the risks posed by suppliers, as well as potential disruptions in the broader business landscape. Given the various natural disasters and geopolitical disruptions of recent years, as well as the uncertainty caused by COVID-19, organizations must take steps to better anticipate disruptions and mitigate the risk from their suppliers. To do otherwise leaves them vulnerable to significant losses of time, money and customer trust.

About APQC

APQC helps organizations work smarter, faster, and with greater confidence. It is the world’s foremost authority in benchmarking, best practices, process and performance improvement, and knowledge management. APQC’s unique structure as a member-based nonprofit makes it a differentiator in the marketplace. APQC partners with more than 500 member organizations worldwide in all industries. With more than 40 years of experience, APQC remains the world’s leader in transforming organizations. Visit us at apqc.org and learn how you can make best practices your practices.

SC
MR