Supplier risk management has become a top priority for procurement and supply chain professionals. With rising regulatory and compliance fines and the global market disruptions caused by trade wars and the pandemic, a robust supplier risk management program is crucial. Gerard Smith, President and Co-founder of Global Risk Management Solutions, shares insights on creating a world-class supplier risk management program. In this interview, discover the essential components and strategies to effectively manage supplier risk and ensure compliance and stability in your supply chain.
Evolution of Supplier Risk Management Practices
Twenty years ago, when I was in procurement, many organizations self-performed everything. In other words, they collected documents and validated them as best as they could. The issue today is with COVID. With COVID, many companies are concerned. The two things we keep hearing about is the financial stability of the suppliers. Are they financially stable? Not only today, but in the foreseeable future, and secondarily, do they have insurance to protect the client company if there are any errors. So, it’s the financials currently, and the insurance companies are most concerned about monitoring.
Increasing Complexity in Supplier Risk Management
Companies are starting to source globally, and more and more companies are concerned about the supply chain and if there are issues, whether geopolitical or whatever the case may be. So the idea here is to manage supplier risk proactively, and so there are three components of that. First, based on a client’s requirements – the ability to do the risk assessment based on specific risk components. Second, having a help desk to try and troubleshoot where there are issues with the suppliers to help them to get into compliance. And third, most importantly, being able to monitor those suppliers for changes in status and getting actual push alerts, to be able to act on those. So, in other words, getting in front of the problem versus finding out that a supplier perhaps filed bankruptcy or showed up on a government watch list or something like that.
Key Components of a World-Class Supplier Risk Management Program
If a company wishes to have a world-class supplier risk management program, there are five crucial components that you would want to see, they are:
Customized Risk Program
A Customized Risk Program is tailored to address specific risk components relevant to a company’s unique needs. This customization can take various forms:
- Geographical Considerations: Different regions, such as EMEA (Europe, Middle East, and Africa) and APAC (Asia-Pacific), have distinct regulatory requirements and market conditions. A Customized Risk Program can adapt to these regional differences, ensuring compliance and appropriate risk management practices in each area.
- Spending Levels: Companies often have both strategic and non-strategic suppliers. Strategic suppliers, with whom the company spends more, may require a more thorough and detailed risk assessment compared to non-strategic suppliers. Customizing the risk program based on spending levels ensures that critical suppliers are monitored more closely.
- Specific Risk Factors: Different industries and companies face unique risks. Whether it’s financial stability, compliance with specific regulations, or reputational risks, a Customized Risk Program can focus on the most relevant risk factors for the company.
The key objective of a Customized Risk Program is flexibility. It must be able to adapt to various factors such as geography, spending, and specific risk elements, ensuring it is not a one-size-fits-all solution but rather a bespoke approach to managing supplier risk effectively.
Adjudicating Information
This involves the critical process of verifying and clarifying data to ensure accuracy. This means systematically identifying and eliminating false positives, which occur when incorrect or irrelevant information is selected. For instance, if you input “Bob’s Plumbing” into a database, you might receive numerous results for companies with similar names. The challenge is to determine which “Bob’s Plumbing” is the correct one that your company works with. Adjudicating information requires sophisticated methods to accurately select the correct entity and cross-verify the details, ensuring that the data is precise and applicable to your specific supplier. This process is essential for maintaining the integrity and reliability of your supplier risk management program.
Reporting
In a supplier risk management program, reporting capability is vital for maintaining consistent and measurable compliance standards. This involves generating real-time, standardized reports that provide current risk ratings for all suppliers. With these reports, management can quickly identify which suppliers are in compliance with set standards and which are not, along with the reasons for non-compliance. Additionally, the reports highlight any ongoing issues within the supply chain, enabling management to address problems promptly. Effective reporting ensures transparency, accountability, and the ability to make informed decisions based on up-to-date risk assessments.
Document Verification and Monitoring
In a supplier risk management program, Document Verification and Monitoring is crucial for ensuring the authenticity and accuracy of the documents submitted by suppliers. While collecting and managing documents can be straightforward, the challenge lies in verifying their validity. Many procure-to-pay, source-to-pay, and ERP platforms face this issue, as they often rely on suppliers to upload documents without proper verification. This can result in the acceptance of invalid or even blank documents.
To address this, a robust system or process must be in place to validate key documents such as certificates of insurance, W9 forms, and other critical documentation. This system should not only collect documents but also authenticate them, ensuring they meet the required standards and are current. Continuous monitoring of these documents is essential to maintain compliance and mitigate risks associated with outdated or fraudulent information. By implementing thorough document verification and monitoring, companies can ensure the integrity of their supplier risk management program.
Continuous Monitoring
Continuous Monitoring refers to the ongoing, real-time oversight of supplier activities and conditions to promptly identify and address potential risks. A primary focus of continuous monitoring is assessing the financial stability of suppliers. This means regularly evaluating their financial health to detect any signs of trouble. If a supplier shows indications of financial distress, such as declining financial metrics or negative market signals, the company can take proactive measures, such as halting purchase orders, to prevent potential disruptions in the supply chain. Continuous monitoring ensures that companies can swiftly respond to changes in a supplier’s status, maintaining the reliability and integrity of their supply chain operations.
Critical Risk Components for Effective Supplier Risk Management
There are eight different risk categories. The risk components that companies should at least address within their program.
Financial Stability
Financial stability is monitoring financial stability in real-time and be able to identify if there are issues whether they are getting in worse financial shape or perhaps getting in better financial shape.
Digital Insurance Verification
The best practice right now is what’s called digital insurance verification. We’re able to manage insurance coverage electronically. We don’t even have to collect a certificate of insurance anymore. We can do it digitally in North America. That means that we can monitor a supplier to ensure that they continue to have the insurance requirements daily, which is a unique situation. So you want to make sure, at a minimum, you collect the certificate of insurance. If you want the best practice, you do digital insurance verification.
Reputational Protection
We do global adverse media monitoring. So as an example, we manage over 25,000 media sources around the globe looking for negative stories because you want to know if your supplier is caught with child labor, or if they’ve closed a facility somewhere in the world that you’re reliant upon. So adverse media is very big at this point because things are evolving very quickly.
Regulatory Compliance
Regulatory compliance is basically anything that’s government regulation. So, it could be the various sanctions lists. Most people don’t recognize there are over 1500 watch and sanctions lists around the globe including the U.S OFAC list. That’s a big one. It can be a Conflict Minerals Declaration, U.K. Modern Slavery Act, Reach ROHS, the California Transparency Act, anything that’s a government regulation falls into that category.
Cyber Security
Cyber Security would be anything that’s involved with data and document verification. It has to be able to collect and validate not only the documents such as a code of conduct, but documents with an expiration date such as an NDA or a diversity certificate. Any standardized documents should be part of the program so suppliers don’t get continuously contacted for more documents.
Social Responsibility
Social responsibility could be anything from diversity verification, child labor, those types of things.
Document Management
Validate key documents such as certificates of insurance, W9 forms, and other critical documentation. This system should not only collect documents but also authenticate them, ensuring they meet the required standards and are current. Continuous monitoring of these documents is essential to maintain compliance and mitigate risks associated with outdated or fraudulent information.
Health and Safety
Finally, health and safety could include an HSC questionnaire, EMR ratings, or OSHA statistics.
Those are eight areas that companies should at least consider looking into as far as potential risk components. Obviously, there are different parts of each, one of those where those are the broad categories.
Global Supplier Risk Assessments: Reliability and Challenges
Dependingon what country we’re speaking of. Is the information available? Yes, there are varying degrees of information. You can get more information in North American and EMEA than you can say in APAC or South America. Is it available? Absolutely. We can do a supply risk assessment in over 120 countries. So, it is possible to get information. There is standardized information in terms of the adverse media I spoke about. The watch and sanctions list, those are all global. There’s a variety of things that can be managed globally. Some of it, in terms of the financial, for instance, it depends on which country we’re talking about and how much information can be obtained within that country, and secondarily, whether it can be monitored on an ongoing basis. Again, it depends on which country we’re speaking about.
In summary
Establishing a world-class supplier risk management program involves understanding the evolution of risk management practices, addressing increasing complexities, and incorporating critical components such as financial stability, digital insurance verification, and continuous monitoring. By proactively managing supplier risk, companies can safeguard their supply chain and ensure compliance.
Want to go deeper? Watch our on-demand webinar with GRMS
If you would like to hear more about GRMS, watch our on-demand webinar Mitigating Supplier Risk in A Changing World.” Gerard goes into greater detail on best practices and how you can proactively manage supplier risk management while staying resilient and the new normal.
