Every year most of us look back and remain astounded by the impacts that supply chain disruptions and corporate insolvencies have on global business. In fact, we don’t need to look very far to see the ongoing impacts, even now, of Hurricane Sandy, where according to IHS Global, the estimated dollar value of lost business activity exceeded $25B USD. Similarly, according to Dun & Bradstreet, every eight minutes a business files bankruptcy – the equivalent of 219 bankruptcies per year for each set of 20,000 Tier-1 third party relationships. As a result, supply chain uncertainty remains one of the hottest topics out there today.
Nick Wildgoose (Global Supply Chain Product Leader at Zurich Insurance,), Rose Kelly-Falls (Senior VP of Supply Chain Risk at Rapid Ratings,), Doug Markle (EVP at HICX Solutions), and Gary Bahadur (CEO at Razient) were brought together in a globally broadcasted Webinar to share their thoughts and insight on this topic. Below is an excerpt from “Managing Supply Chain Uncertainty: Questions and Answers from Leading Providers of Supplier Risk Management Solutions”
Q1. At what tier in the supply chain are disruptions most commonly occurring?
Supply Chain disruptions are most commonly occurring at the tier 1. Or at least that is where it appears. However there is evidence that it is also occurring at the tier 2 and tier 3 level and even beyond. The disruptions at the tier 2 and tier 3 levels are often never communicated (or they are covered up) to the tier I, unless it is a disruption that can’t be rectified in a timely manner.
At Zurich there are various studies we have carried out on this subject with the Business Continuity Institute. Based on the most recent research that was produced, it was found that around 40% of supply chain disruptions are actually occurring below tier 1.
We have found that the majority of supply chain disruptions are experienced at the tier 1 level, as, often with sub tiers – the chain will course-correct prior to having the disruption affect its way all the way to the top. Even with course correction, however, there is a different issue that often goes unnoticed, which are the hidden costs passed along due to a sub-tier disruption.
Hi-Tech manufacturers started tracking this issue a couple of years ago after they experienced price increases and due to sub -tier disruptions that were invisible to them from the top tier. In the end, each disruption, whether at tier 2 or even tier 5, has costly consequences.
Q2. How should companies be measuring their risk exposure and prioritizing risk mitigation actions?
There are various types of risk, and every company will have their own risks that keep them up at night. It is therefore imperative that companies understand those risks and then think about how they would implement a corrective action given the impact to the bottom line. For example, many organizations have very little insight into the financial stability for private companies with whom they’ve done or continue do business.
Obviously there are major risks, especially if it involves a single or sole sourced supplier who has a major impact to revenue. Given this issue, having the ability to measure the financial health of suppliers is vital and should be a top priority.
Companies should take a top-down approach in looking at the impact of the relevant supplier on their revenue and profitability. They should also be aware of the impact that suppliers can have on their reputation.
I agree with both Nick and Rose, but I also want to underscore that there is not one perfect equation to measure risk exposure, as suppliers and their actions have an effect on many functional areas within an organization.
At its highest level, yes, one should measure and prioritize the risk based on the impact to revenue and cost. With that in mind, compliance requirements vary from supply chain, which varies from legal, and so forth.
As such, each functional area needs to be equipped with the information and processes to mitigate and manage the risk within their view of the world, whether it is FCPA compliance, port strikes, supplier insolvency, etc. In this regard, it is becoming clear to organizations that the vast array of variables, and source systems, can no longer be managed through Microsoft Excel spreadsheets – and many have turned to systems that can aggregate relevant data, drive processes, and provide timely insight across the functional organization.
What is as important is the ability to mobilize quickly upon discovering a risk incident. Per the Mike Tyson quote, “Everyone’s got a plan ‘till they get punched in the face”, the metrics and planning will not always prepare you for an incident. How many corporations put a contingency plan in place just in case a volcano erupted in Iceland? None. It wasn’t a typical risk; therefore, what became as important was: early notification (from suppliers and products at risk), to informing the proper stakeholders with information necessary to take action, and empowering them to take quick action. Proper supplier risk management becomes much more than just collecting W-9’s and involves deeper supplier, or potential supplier, insight (capacity, logistics, products, competitors, etc.)
Q3. What approaches can/should companies take to protect themselves from supply chain disruptions?
Consider three steps that make the initiative simple, systematic and measurable (e.g., “metrics”). Also it is recommended to establish a framework to ensure that processes are being followed. This framework includes the following –
- Assess (e.g., What do you already know about your suppliers?)
- Analyze (e.g., Do you have insight into their financial health?)
- Collaborate (e.g., Sit down with the supplier and discuss potential risk)
- Treat (e.g., Develop a plan for major concerns)
- Follow-up (e.g., Establish a timeframe for reviews)
- Monitor (e.g., Implement a method to have systemic monitoring)
Furthermore, this is continuous and is not only used for current suppliers, but imperative that new suppliers are assessed prior to sourcing. As part of the effort, some companies elect to implement a homegrown system and others elect to implement technology that can assist with the various stages.
Carrying out the proper levels of due diligence and putting into place the proper risk mitigation measures appropriate to the supplier. They should be able to answer the following basic questions, with a positive answer as a starting point:
- Do you know who your critical suppliers are, and how much their failure would impact your company’s profits?
- Have you fully mapped your critical supply chains upstream to the raw material level and downstream to the customer level?
- Have you integrated risk management processes into your supply chain management approaches?
- Do you have routine, timely systems for measuring the financial stability of critical suppliers?
- Do you understand your tier 1 production facilities and logistic hub exposures to natural catastrophes?
- Is supply chain risk management integrated into your enterprise risk management approach?
- Do you record the details of supply chain incidents and the actions you have put in place to avoid future incidents?
- Do your tier 1 suppliers have business continuity plans that have been tested in terms of their viability?
- Have you provided risk training to your supply chain management team?
- Is risk on the agenda at performance meetings with your strategic suppliers?
To answer the question, I think W. Edwards Deming’s teaching and philosophy may apply here. In his statement “You can expect what you inspect”, Deming was emphasizing the fact that, upon inspecting the “inputs” and “process”, the “outputs” can be better predicted.
Many try to measure, or perform mass inspection, of the output product, which can provide “in the moment” notice of a problem; however, the best supply chain managed companies get intimate with their suppliers, understand their inputs and processes, and proactively measure at the foundation to get stay ahead of the cause-effect continuum.
Q4. How can you better understand current supply chain risks in the decision to select a supplier?
The answer to this question is due diligence, and to ensure it is embedded in the selection process at an early stage. Look at the supplier from a locational view of exposures physical, economic and political.
Each potential supplier should be evaluated on the current risk criteria such as financial risk, country risk, and logistics risk. But to see the complete picture of risk, you need to delve deeper into specific risk measurements of that particular supplier, not just based on general risk statistics.
For example, a key risk that is not generally tracked is physical risk to the location, or multiple locations or the locations of their sub-contractors. In this regard, here are some questions that delve deeper into understanding locational risk –
- What are the risk trends around all locations that will be used in your supply chain?
- Does any particular location have frequent issues (e.g. power outages)?
- Are their sub-contractors in a politically unstable country or city?
- Is each location in compliance with the particular laws of that country or region?
Hence a complete profile requires that you have to do your own investigation.
Nick and Gary are absolutely correct, but I would like to offer one additional aspect: get input from all of the internal/functional stakeholders by gaining an understanding of what keeps each of them up at night. As above, each function holds responsibility for different aspects of the supplier relationship, and corresponding risk. Looking at it from unique perspectives, organizations can allow properly perform the required due diligence, and ongoing monitoring, necessary to minimize risk exposure.
Q5. What steps should be implemented to continuously gather vital information, particularly from your tier 1 suppliers?
Upon determining the information needed, and the frequency of updates, it becomes important to:
- Leverage technology, as today’s systems enable companies to automate collecting of information, and distributing it to the people that need it, and when they need it.
- Have a plan on when to collect the information. If, for example, certain types of information is needed from the supplier, and the supplier is engaged only once per year, and with a long, detailed request, compliance is hindered. Often because, people have moved to other positions, the information needed is too daunting for one sitting (or may require multiple inputs from the supplier organization), etc. The best practice is to “ping” the suppliers with small requests to the appropriate person throughout the engagement.
It is essential that the supplier relationship is managed. Suppliers are willing to disclose more information when there is collaboration and a recognized strategic relationship between the parties.
Supplier visits, quarterly business unit reviews and information sharing can reveal critical information, allowing organizations to proactively mitigate potential issues. This becomes a responsibility of the cross functional team (purchasing, planning and control, quality, etc.). As information is being gathered, it needs to be communicated back to organization.
A first step is through your supplier management process and setting down what information you require from them. Also using third parties in monitoring of financial health, relevant news feeds, legal exposures, and emergence of social media.
The first step is actually determining exactly who your critical suppliers are. Many companies have a basic understanding based on top spend, top threats, percentage of parts supplied, or other somewhat measureable metrics. So clearly defining risk criteria for a critical supplier, such as combining single/sole source, unique capabilities, key sub-tiers and top spend should give your valuable metrics. Once you have a valid list (and update quarterly), you can then implement a method to monitor and collect risk information from your network.
Also for your tier 1 suppliers, knowing where each location is, not just their primary sites, what parts and services are delivered by each location and the particular risks specific to each location. Then delving deeper into how your tier 1 suppliers produce your goods and services is key. You have to have visibility into their sub-tiers if you truly want to monitor risk in your supply chain. For instance a location based alert system should be in place to identify potential and actual risk on a daily basis for you to have the ability to rapidly respond.
Risk mitigation runs the spectrum potential solutions (e.g., incident alerts, scorecarding, supply chain mapping, compliance, etc.). If you and your organization are, at all, concerned with risk management, operational risk, or reputational risk, please do visit HICX Solutions’ website. No matter where you are in your supplier risk management journey, HICX has solutions to help you reach your destination.