© Skypixel | Dreamstime
Risk Management Tightrope

Supplier Risk Assessment is Key to Resiliency

April 7, 2021
This past year has taught us all that supply chain leaders cannot and must not remain complacent about risk.

The problem with most supplier risk assessments is that—due to time and personnel constraints—they are often limited in scope and effectiveness, with the highest-volume direct suppliers prioritized. This approach leaves companies blind to major risks in their supply chains, given that roughly 80% of supply chain disruptions originate at lower-tier suppliers. So, hidden weaknesses persist, ultimately leading to costly disruptions.

Consider this: Supply chain experts at McKinsey & Co. have calculated that large companies typically lose the equivalent of two quarters of profit every decade from supply chain disruptions—and that a 100-day supply disruption (which is not uncommon) can easily destroy 30% to 50% of one year’s EBITDA. When you think about it like this, having visibility into your supplier network, beyond tier one suppliers, and knowing any potential associated risks, is essential to business continuity.

Typically, the task of assessing supplier risk is dispersed throughout an organization: One team looks at suppliers’ corporate social responsibility (CSR) and sustainability performance, while others measure product quality data, fire safety, and cybersecurity. There is no cohesive process when it comes to designing questionnaires, requesting information, manually reviewing data, drawing conclusions, and prioritizing—as a company—which supplier risks to tackle first. Accordingly, critical things get overlooked.

Take this example: Last October a fire broke out at a semiconductor manufacturing plant in Japan; it took three days to put the fire out and when the dust settled, production lines were estimated to be down a minimum of six months. As a result, procurement teams—from the high-tech to automotive sectors—were scrambling. The price of some chips went from $5 to $110 in a matter of days and ultimately cost sourcing organizations tens of millions of dollars. A risk assessment survey later revealed that the site did not have an automatic sprinkler system or fire suppression system; in supply chain risk management (SCRM) this is labeled as “high risk.”

Now, imagine if that risk had been flagged and escalated by one or more of the organizations who were sourcing chips from this site? Alternate suppliers could have been secured or pressure to install sprinklers could have been applied; the cost of installing an automatic sprinkler system could have been paid by one of the sourcing organizations. It’s clear in this case that the cost to install sprinklers would have been dwarfed by the cost associated with the fire. It should also be noted that this fire also contributed to the current chip shortage that is significantly impacting carmakers.

In contrast, those organizations that use a consistent program and platform to assess their suppliers across all risk types have better visibility into the overall health of their supply chain and can prioritize—as a company—which supplier risks to tackle first. Whether a company uses a vendor or its own staff to drive a unified supplier risk assessment process, some common principles and best practices should be applied:

Assign a single person or team to run the risk assessment program. By having a single point of contact and/or consistent process when it comes to developing and executing risk surveys and communicating with suppliers, the suppliers are more inclined to cooperate. They know what to expect and can respond to inquiries more efficiently than traditional methods. What’s more, a cohesive approach means you can establish a consistent way to measure and address risk areas.

Integrate all your supplier risk assessment data in one platform or application. A single platform for all your suppliers and risk types allows you to get the full picture, including detailed supplier risk profiles and visibility into the most significant risks. This way, you can prioritize which to address first. If you don’t have the technology bandwidth to do this in house, there are software solutions available that enable this type of instant, real-time visibility on a single dashboard.

Prioritize risk areas based on business KPIs. Sustainable sourcing may be a higher priority for your organization than fire safety; financial health might take a backseat to cybersecurity. Be sure to align and weight your supplier risk focus areas with the broader business goals. For example, a global technology company has implemented a unified supplier risk assessment program tied to its KPIs, while a consumer products company measures its suppliers’ CSR and sustainability performance—flagging non-compliance and supporting troubled suppliers to improve.

Keep an eye out for opportunities to collaborate with suppliers. According to a recent Gartner survey, 77% of organizations are currently investing in deeper supplier relationships. This includes looking for ways to proactively collaborate with suppliers to reduce risks. For example, we’ve seen some companies fund retrofits at supplier sites for hurricane preparedness. And, during the early days of the pandemic, large organizations identified the suppliers whose survival was critical to their businesses and offered them assistance.

Don’t overburden your suppliers with requests for information. They’re as busy and stressed as you are, especially as they rebuild from the pandemic. Look for ways to streamline the disclosures and surveys you need from them and consider letting them share it with other customers. For example, the supplier can complete one survey on a risk category such as cybersecurity and share it with as many customers as they wish.

The Need for Supply Chain Risk Management

While many organizations can create a cohesive risk assessment program in-house, there are benefits to working with an SCRM solution provider. For instance, you’ll be able to increase the number of suppliers assessed and the impact of your data because an established SCRM provider might have the majority of your suppliers and sites logged into its network.

By using a pre-built, vetted technology platform to assess for all types of risk the time requirement can drop significantly. On average a comprehensive risk assessment should take one employee eight weeks to complete, versus two years and multiple employees. Also, an SCRM provider should have a library of survey questionnaires, based on industry standards. The surveys should also be translatable to accommodate global supply chains.

Over the past year, we’ve seen supply chain risk management go from a ‘nice to have’ to a board-level initiative. Gartner reports that 87% of organizations are investing over the next two years to make their supply chains more resilient. There has never been a more opportune time for procurement and logistics professionals to convince their C-suite leaders that now is the time to invest in a cohesive supplier risk assessment program that goes beyond tier-one. Once companies start seeing supply chain resiliency as a growth investment opportunity, it can change how they perceive the dollars needed to be spent in supply chain risk management.

For decades, we’ve been focused on engineering our supply chains primarily to reduce costs. In the process, we’ve built in excessive, often hidden, risks. This past year has certainly served as a wake-up call for supply chain leaders worldwide that they cannot remain complacent about risk.

As my friend and colleague MIT professor, Yossi Sheffi, wrote in his book, The New (Ab)Normal: Reshaping Business and Supply Chain Strategy Beyond Covid-19, “The crisis can be used to overcome resistance to change, because the crisis itself has disrupted the status quo and created a burning platform that demands the organization make changes.”

Bindiya Vakil is CEO and co-founder of Resilinc, a provider of supply chain mapping services and risk-monitoring data.

Latest from Global Supply Chain