Supply Chain Risk Leadership Council


Supplier and Service Provider Risk Management

 By John J. Brown, Risk Management Professional

Today’s physical supply chains are complex. The journey from raw materials to finished product can be very long, spanning thousands of miles domestically as well as internationally and teeming with risks along the way. Highly competitive markets, disruptive advances in technology, regulatory developments, and shifting consumer preferences mean that today’s supply chains must be agile, adaptive, and responsive.

Evolving business models can amplify supply chain risks and introduce new ones. This is no more evident than in the complex network of suppliers and service providers that companies increasingly rely on. Managing the risks with Tier 1 suppliers and service providers is challenging enough. Moving to Tier 2 and beyond becomes exponentially more difficult.

Supplier and Service Provider Risk Management Framework

A pragmatic supplier and service provider risk management framework, described in this article, helps companies manage risks. The heart of the framework is a five-stage program, covering the life-cycle from initial selection to termination. These steps are described next.

Initiate: Document the business need to establish a new supplier or service provider and identify candidate suppliers.

Due Diligence and Selection: Incorporate risks inherent in the raw material, intermediate product or component, or service to be provided; then, conduct due diligence on candidate suppliers to understand their ability to meet quality and safety requirements as well as their financial stability and reputation; finally, select an appropriate supplier using the combined inherent and supplier risk scores.

Contract and On-board: Define and document, within the contract, parameters to be met, including service-level agreements (SLAs), specifications, exception procedures, and nonconformance actions; then, ensure that the supplier understands its obligations and how to fulfill them.

Ongoing Monitoring: Establish risk-based frequencies to revalidate due-diligence results, conduct audits or assessments, and monitor conformance to contract terms and SLAs, taking appropriate actions as required based on assessment results.

Termination and Off-board: Whether due to normal expiration of the contract life or termination for cause, ensure that internal systems are updated to prevent access to information technology systems and to deauthorize the supplier’s use of these systems.

Foundational and Operational Aspects: Employ several supporting elements that can help companies achieve an effective and efficient program. A company culture that reinforces supply chain risk management, coupled with governance, policies, and standards, can provide the foundation for an effective program. Similarly, documented processes and procedures—coupled with tools and technology, including metrics and reporting—can help companies achieve an efficient and effective program.

Tools and Technology to Support a Program

Managing the data required to efficiently operate a supplier and service provider risk management program is daunting. Spreadsheets are unlikely to stand up to the needs of managing the data, and a technology solution should be selected and implemented. Defining and documenting the process requirements for a specific company’s business model and supply chain is a critical first step. Once this is complete, one of several available technology solutions can be selected based on the best-fit to the documented requirements. Effective due diligence, risk-sensing, and auditing can also benefit from technology solutions.

In Summary

Today’s businesses have no shortage of challenges. From consumer demands, to increased government regulation, to dynamic operational strategies, the need for an effective and efficient supplier and supply chain risk management program has never been greater. Indeed, an enterprise-wide framework and program, covering supplier and service provider risks, should be a strategic imperative for any company.