To improve resilience and business continuity in the face of pandemics, wars, natural disasters and other vulnerabilities in global supply chains, businesses are adopting comprehensive supplier risk-management initiatives.
An SRM program can mitigate the impact of unpredictable events by identifying potential risks and enforcing contingency or remediation plans. The effort begins with understanding the many different categories of risk, including cybersecurity, compliance, business, reputational, financial, performance and event-related.
Whatever type of risk is deemed to be the most pressing, certain best practices will help any organization build the best possible SRM program.
Supplier risk can be placed into three broad categories: profiled, inherent and residual. Understanding them enables an organization to prioritize resources and mitigate risk, even if its supply chain is complex.
Profiled supplier risk refers to that based on the supplier’s industry, geography, level of compliance, financial and operational status, and any other business-related attributes. When thinking about profiled risks, organizations must account for:
- Compliance requirements. Suppliers with a high likelihood of environmental, social and governance (ESG) concerns, for example, represent a higher profiled risk because of penalties they could incur for being out of compliance.
- Financial and operational results. Suppliers with a record of inconsistent results in this area could have a higher risk.
- Location. Geo-political instability can easily disrupt supply chains. For example, if a manufacturer sources nearly all of its raw materials from a single supplier in a war-torn or politically unstable nation, this supplier could be said to have a high profiled risk. Weather-related events and natural disasters should also be considered.
Gauging the profiled risk of potential suppliers is a critical step in building SRM programs, as it supplies important context for questioning vendors that are part of an organization’s third-party ecosystem.
Inherent supplier risk refers to a vendor’s level of risk before accounting for any specific controls that an organization might require. For example, if a hospital is purchasing a new data analytics system to help the institution analyze patient data, the analytics company must demonstrate data security controls. Otherwise, the vendor would represent an unacceptably high inherent risk for the hospital.
Every organization should gauge vendors’ inherent risks, and begin by considering:
- Criticality to business performance and operations. The risk of failure at a critical tier-1 supplier could elevate it to a high inherent risk score.
- Locations and related legal or regulatory considerations. The disruption, fines and reputational issues caused by non-compliance might drive a high score.
- Interaction with protected data or customer-facing systems. This leads to the need for additional security controls and compliance oversight.
- Fourth-party and nth-party suppliers in the supplier ecosystem. These represent critical dependencies that can impact inherent risk-scoring decisions.
Residual supplier risk refers to that which remains even after a vendor has successfully completed remediations or implemented compensating controls. Regardless of the vendor’s profiled risk, inherent risk, and remediation activities, residual risk can always be left over. A good SRM program brings residual risk to a tolerable level across an organization’s extended supply chain.
To get to this acceptable level of residual risk, organizations must be sure that all suppliers have achieved “must-have” requirements for secure and compliant supply chains. These may include:
- Strong information-security programs,
- Strong disaster-recovery planning,
- Visibility into all fourth and nth parties,
- ESG compliance programs, and
- Insights on raw material sourcing (such as conflict minerals).
Residual risk is not static throughout the supplier risk-management lifecycle. That’s why monitoring the risks needs to be an ongoing process.
With the significant categories of risk understood, organizations have the knowledge to craft an SRM program catered to their unique needs. But there are several steps that can help any organization achieve that goal:
Create an inter-departmental SRM team. Members can include representatives from procurement and sourcing, security and IT, risk management, legal and compliance, and data privacy. Product management and manufacturing teams also have great input on potential risks at each node of the supply chain.
Choose the right risk-management framework. This is the foundation for best practices and proper guidance. Many organizations align with either NIST or ISO frameworks, depending on several factors.
Account for risk with pre-contract due diligence. Ensure that all processes include information-gathering on potential business partners or vendors, including sources such as:
- Business news,
- Adverse media coverage,
- Data breach lists,
- Financial records,
- Sanctions lists,
- Global enforcement lists and court filings,
- State-owned enterprise lists, and
- Politically exposed persons (PEP) lists
Risk-intelligence networks and risk-profiling services can help to automate this rather cumbersome process.
Create visibility into supplier profiles. Maintaining a centralized supplier database is critical to ensuring an effective SRM program. It should include comprehensive supplier profiles and provide role-based access to company contacts, demographics, fourth- and nth-party connections, and risk intelligence. It starts with profiled risk data and external risk information captured during the sourcing and selection stage of the supplier lifecycle.
Rank suppliers based on inherent risk. Organizations should categorize and tier suppliers based on their inherent risk. Effective inherent risk scoring combines inputs from simple internal questionnaires and external risk data gathered during the sourcing phase.
Perform risk assessments periodically to ensure compliance. Once suppliers are profiled, categorized and ranked, organizations can determine the frequency and scope of future risk assessments for each category. For instance, annual assessments of critical suppliers can be based on industry standards, regulatory mandates or unique requirements of the organization. These assessments may request information about internal security controls, business-continuity plans, disaster-recovery plans, and other types of plans.
Monitor constantly for new supplier risks. Supplier risks are constantly evolving and emerging in response to the rapidly shifting economic, geopolitical and cybersecurity environment. It’s therefore essential to continuously monitor your critical suppliers for new business, operational, financial, reputational, compliance and cyber risks. This intelligence can be used to adjust supplier risk scores and trigger response, mitigation and remediation activities, such as sourcing new suppliers, altering shipping routes or requiring further assessments.
Ensure adherence to performance requirements. Many assessment and monitoring programs outlined here can also be customized to evaluate supplier performance against SLAs and other contract requirements. This process can begin by establishing supplier key performance indicators and assigning thresholds and “owners” for each KPI based on the contract’s attributes.
Account for risks that persist after supplier contracts end. Offboarding vendors is often overlooked in supplier risk management, so risks are often heightened after a contract ends. That’s why it’s imperative for organizations to review profiles of suppliers being terminated and conduct offboarding assessments. These can validate that final contract terms were met, deliveries made, IT and physical access revoked, assets returned, and sensitive data destroyed.
SRM must become an integral part of organizations' broader risk-management framework. Building the right program involves several steps, including creating a cross-departmental SRM team, selecting an appropriate risk-management framework, and baking SRM processes into existing procurement and compliance procedures.
Unexpected events break supply chains and change the course of daily life. Organizations must take it upon themselves to ensure these events don’t change the course of business.
Brad Hibbert is chief operating officer and chief strategy officer at Prevalent.