Guest post by Heiko Schwarz, Global Supply Chain Advisor, Sphera
Regulators around the world are getting tough. Organizations need to ensure compliance with environmental, social and governance (ESG) legislation not just in their own operations but also throughout the supply chain. Perhaps the best example of this is the German Supply Chain Due Diligence Law (LkSG). But there are many others. As a consequence, we can add compliance risk to the long list of types of supply chain risks that procurement organizations have to deal with. It’s moving up the agenda, too. So how do you put in place, and manage, a program for supply chain risk? We have been working on supply chain risk management (SCRM) for some years now at Sphera (formerly riskmethods), so here is our basic approach.
First, you need to have all the ingredients in place. These are Visibility, Automation and Governance.
Visibility: Your organization needs to be risk aware, and it needs to set up capabilities first to prevent risks materializing into actual crises and second to react quickly and decisively if a crisis does occur. To do this it is essential to have visibility across the entire supply chain network from end to end, including the lower tiers. What is its structure? Who are the key players (incumbents and possible alternative suppliers). Next, you need to understand all the possible risk factors. Not just the major risks because, as we have seen very often, a risk that is perceived as trivial may trigger a sequence of events that materialize as something far more serious.
The two biggest mistakes you can make in risk management are alert too little or alert too much. Alert too little and small threat can easily get out of control. Alert too much and “alert fatigue” sets in – like the little boy crying wolf, people will do nothing when an actual risk materializes. These mistakes are magnified now that supply chain risk has become an issue for the entire organization, covering issues such as regulatory compliance that can damage reputation. Teams responding to risk are cross-functional and if the risk specialists are giving people from other departments (CSR, corporate communications, operations etc.) the wrong signals, this will diminish your capability to put an orchestrated crisis response in motion.
Next, you need to extend your visibility from simply knowing what the risks are to understanding their likely impact. Again, the impact may not be isolated to a single supply chain. Think about what happened during the lockdowns when dozens of supply chains could be adversely affected by a single event. That means you must prioritize your resources and response.
Automation: If you try to create this visibility manually, it is going to be such a drain on your resources that risk management will itself become a risk to your competitiveness! Therefore you must automate where possible to enable your team to take preventive action and react faster when necessary. Today, a fully automated threat detection process is both possible and necessary.
You then need to set the threshold for alerts so that once it is exceeded, the appropriate person(s) (within procurement, these could include category and supplier managers, but don’t forget other stakeholders such as CSR) is notified with the relevant information immediately. And to reiterate, only the appropriate people should be notified, or else you will fall into the trap of alerting too much. Automation can also help to set up a feedback loop to ensure that you learn from risk events and improve your readiness for the next ones. Suppliers and partners should be a part of this mitigation framework – they are part of the solution rather than part of the problem.
Governance: Supply chain risk management is not a matter of ticking a few boxes and saying “job done”. You need to make sure that the program is not only in place but fully adopted. And remember, it is a cross-functional activity. Procurement acting alone cannot deliver a resilient enterprise; this requires the collaboration of many other functions and departments including logistics, quality control, R&D, operations, CSR and so on. Plus it may make sense to bring strategic suppliers and partners into the governance framework. Moreover, you need senior management buy-in, otherwise you can never be sure that these actors will see it as a priority, given that they have plenty of other things to worry about. Management support will also be required to make certain tradeoffs, for example the shift from a cost-reduction stance to one that considers ethical procurement, emissions reduction etc. both from a regulatory compliance perspective and in order to reduce total costs in the long run by factoring in risk. Again, this is not a one-off exercise, so it is essential to put in place processes and a framework for documentation and continuous improvement.
So these are the ingredients of a successful supply chain risk management strategy, but you still need a recipe to put it into the practice. This recipe has three main steps: Build the Case, Scope and Prioritize, and Implement.
Build the Case: Start by identifying the internal and external stakeholders (it is easy to forget the latter, including suppliers – don’t! They are part of the solution). For each of them, assess their expectations (the risk dimensions covered, their process involvement etc.) to create a comprehensive risk inventory. Once you have these inputs, you can loop back and align with your company vision and strategy. By doing so you will identify the opportunities and any gaps that need to be filled and will drive benefits and return on investment. In this way you build a business case, demonstrating, for example, how much money you would have saved if you had addressed recent disruptions.
Scope & Prioritize: Define a baseline for a holistic supply chain risk management program. Where will you drive most business value? You don’t have to reinvent the wheel in most cases, so this is where you can take advantage of the knowledge of experts in the field who have trodden this path before. Now set targets so that you will be in a position to measure success and prove to management that the program is delivering value. And don’t forget the people aspect: you need the right skills and organizational setup as well as the relevant data and the ability to analyze it, all within a suitable governance framework.
Implement: Now, with everything in place, you can implement the policies and guidelines. There is a place here for incentives to encourage best practices, and this should also include suppliers and other external stakeholders. You can do this without sacrificing cost savings. And get proactive: educate the organization and suppliers, evangelizing on the benefits. As time goes on, you can enhance the program by broadening it, for example to include the wider aspects of ESG. Finally, let’s say it again, this is a journey rather than a one-off act, so revisit the program regularly, even when you have not experienced any supply chain disruptions, and look for areas to improve.
If you’d like to learn more about a successful SCRM project with a leading manufacturing company, check out this on-demand webinar featuring Signify, JAGGAER and Sphera (formerly riskmethods). Sphera is a JAGGAER partner and offers a solution for dealing with all supply chain risk factors so that customers do not have to buy point solutions for every piece of legislation in every country. In this way a procurement organization can ensure that its entire supplier network is managed in a way that is ethical and sustainable, avoiding compliance risk, along with others, and protecting the company’s reputation. Find out more about Sphera at sphera.com