Over 95 percent of companies surveyed agree that managing supplier risk is critical in the current economic environment and yet, 67 percent of these companies develop risk profiles for one-fifth – or less – of their supplier portfolio! This is just one of the noteworthy findings of a recent survey conducted by Expense Management Solutions in March of 2009. The research goes beyond what is happening in supplier risk management and explores why supplier risk management activities lag far behind the spiking recognition of the risks involved, as well as the opportunities that exist to reduce risk exposure.

The study was sponsored by Expense Management Solutions, Inc., a management consulting firm that is a leader and innovator in strategic sourcing and supplier relationship management strategies, and the Sourcing Interests Group, a professional organization representing sourcing and outsourcing professionals from the world’s leading corporations. This article is part one of a two-part series that will report on the results of this research.

Heightened Concern
with Supplier Risk

Plunging stock prices, frozen credit markets, geopolitical instability, data security breaches, and high profile instances of corporate fraud have elevated concerns about the risks associated with managing an extended enterprise. In response, corporate executives, boards of directors and other critical stakeholders are demanding greater accountability and transparency across the enterprise. Some risks, like that of the financial insolvency of a supplier or labor unrest, can result in business interruptions or worse. Others, like identity theft, fraud, or safety violations can result in fines or legal action, leading to significant damage, both from a financial and a publicity standpoint.

Different industries face different regulations and regulatory bodies, from HIPPA in healthcare to OCC in banking and the FDA in pharmaceuticals. A company may outsource a particular function like IT, transaction processing, or lab testing, but responsibility for compliance with regulations related to these functions cannot be outsourced. In almost every instance, accountability will roll up to the contracting organization, and represents another significant source of risk in supplier relationships.

Establishing compliance programs is one way in which organizations address risk management. In a compliance program, adherence to specific principles, policies and procedures is required by suppliers, who must certify their continuous compliance. The development of business continuity plans, as well as programs designed to monitor the marketplace and the financial health of key suppliers, is also critical. In addition, technology plays an increasingly important role as more regulations include rigorous data collection, tracking and reporting requirements.

But, how is the existence of risk identified? How is the level of risk associated with a specific supplier relationship assessed? How often should risk assessments be reviewed? The answers to these questions have serious implications for companies that want to develop programs to manage risk in individual supplier relationships, as well as strategies to minimize the overall risk in their supplier portfolios.

While all of these factors significantly increase the complexity of outsourcing and managing a supplier portfolio, it remains as clear as ever that the benefits of an integrated supply chain exceed the challenges of managing the associated risk.

Corporate executives understand the challenges they face, even as they scramble to develop strategies to address them. In our recent study of supplier risk management practices, over 95 percent of the respondents agreed or strongly agreed with the statement, "In today’s environment, managing supplier risk is critical." Not one of the survey respondents disagreed with the statement.

Anecdotal evidence also points to heightened concern. Sourcing Interests Group’s 2009 Global Sourcing Summit featured sessions with titles like, "Managing Risk in a Global Economy," "Supplier Risk Management: Mitigating the Risk in Supplier Relationships," and "Managing Supply Risk When Your Suppliers Are Going Bankrupt," among others. In fact, seven of the forty-five sessions had the word "risk" in the title, compared to just two in 2008.

Supplier Risk Management Today

One thing is certain – risk associated with managing an extended enterprise is not going away. Companies are more committed than ever to strategies that entrust critical functions to strategic partners that can leverage expertise, scale, and resources to drive down costs and increase quality and efficiency. So what are companies doing today to address supplier risk and reduce their exposure?

Two critical aspects of supplier risk are risk profiling and risk management. In risk profiling, a company determines a specific set of measures, policies and procedures that are used to alert the organization to risk in a supplier relationship. Those guidelines can be applied in a systematic way across the supplier portfolio. Risk management consists of the structures and processes put in place to act on the information that results from supplier profiling and supplier relationship management programs.

Given the level of concern, it would be reasonable to expect that companies with significant value at risk would be heavily invested in mitigation efforts, but that is not the case – at least not yet. When asked about supplier risk profiling, 67 percent of respondents indicated they develop risk profiles for 20 percent or less of their supplier portfolio. At the same time, 77 percent felt that risk profiles should be developed for more than 20 percent of their suppliers, indicating a clear and significant gap between where they are today and where they would like to be. Risk management activities fare even worse, with over 73 percent of respondents proactively managing risk for less than 20 percent of their supplier portfolio.

Companies are most likely to measure risk during the sourcing process (75 percent), presumably as part of their due diligence procedure. However, less than 40 percent of the participants indicate that they conduct an annual review of supplier risk; and surprisingly,

only 30 percent did so at contract renewal. In the current volatile economic climate, even an annual examination of risk may not be enough. Until credit markets improve and the health and stability of critical industries return to normal, a more robust program of risk assessment is prudent. Through a series of follow-up interviews, we noted that many of our survey respondents were in the process of developing such programs.

Generally, the same department or departments had responsibility for both assessing and managing risk in respondent organizations. The department most often

given responsibility for supplier risk, by a large margin, was the purchasing or supply chain organization, which had responsibility for both processes over 75 percent of the time. The risk/compliance department had responsibility for assessing or managing risk about half as often, as did the hiring business unit.

The tools used to measure and manage risk are generally unsophisticated or homegrown. According to our survey,

only 7 percent use a third party software solution to support risk measurement, and 4 percent use a third party software solution to support risk management activities. The rest use a combination of manual activities, spreadsheets and proprietary software solutions to support supplier risk measurement and risk management.

Part two of this article will cover the risk categories that the survey participants used to identify and assess risk, as well as the obstacles that prevent companies from effectively assessing and managing risk in their supplier portfolios. The article’s conclusion will include recommendations designed to improve a company’s supplier risk management program. For more information on this study, e-mail Robert Teplansky at teplansky@expensemanagement.com.