Co-Managing Supplier Risk: Part 2 - A Case for Co-managing
on May 7, 2013
A new approach offers the potential to manage risk across your entire supply base without breaking the bank. Your most highly paid resources can focus on strategic high-value work, while tactical tasks are co-managed by a third party.
Full Article Below -
In Part 1 of this series, we looked at how the trend towards outsourcing, combined with ever-greater regulatory burdens, has made managing supplier and third-party risk increasingly important, difficult, and expensive. We also examined why the traditional approach to prioritizing supplier management resources falls short when it comes to managing risks. In this part two, we look at a new approach: segmenting risk tasks and having a third party co-manage the tactical risk tasks to reduce costs and risks simultaneously.
Segmenting Risk Management Tasks
The way suppliers are typically segmented may work well for prioritizing procurement resources on supplier selection, managing supplier performance, and supporting and developing strategic suppliers. But it doesn’t always work well for prioritizing resources on risk management and compliance. Many B and C suppliers may be easily switched, but still represent large material risks to the company (such as litigation or regulatory fines).
One answer to more effectively manage supplier risks is to segment the work into strategic vs. tactical risk management tasks, regardless of which tier the supplier falls in. Figure 1 below illustrates an example supplier risk framework, with various categories of risks, showing strategic vs. tactical risk management tasks for four of the example risk types.
Figure 1 - Supplier Risk Framework—With Example Strategic vs. Tactical Risk Management Tasks
Strategic tasks—require decision making, policy setting, and intelligence and deeper understanding about the company and its unique situation.
Tactical tasks—are routine and automatable, involving collecting, maintaining, managing, and monitoring large volumes of data.
Micro-segmenting Risk Requirements for Labor-Intensive Tactical Tasks
Examples of Segmentation By Risk Mgmt Requirements
A supplier indicates they are providing Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS). Further questions might ask the types of information being handled and services being provided, thereby determining the level of security and availability required. The workflow engine might additionally send a message to the appropriate IT expert for a judgment call on what is required. Based on these answers, a set of survey questions are sent to the supplier (about their current security policies, availability guarantees, redundancy in their infrastructure, and so forth) and potentially a set of certifications are requested (such as SSAE 16 Type 2).
A supplier is providing on-site facilities services (cleaning, repair, etc.). The platform requests the appropriate insurance certificates, such as workers comp, professional liability, and general liability. It asks about their screening process for their employees that will have access to restricted areas within the building, housing valuable intellectual and physical assets.
A supplier provides electronic components that may contain one of the “3TG” conflict minerals (tin, tantalum, tungsten, or gold). The system conducts a country-of-origin inquiry, asking about sources, whether certified conflict-free smelters are used, and so forth.
Tactical tasks can consume a tremendous portion of time for internal experts (e.g. procurement, commodity manager, safety, risk manager, compliance, quality, etc). By segmenting tasks, internal experts can focus most of their time and efforts on strategic tasks, while tactical and routine tasks are delegated to a third party who (if it is the right service provider) can perform these services much more cost-effectively.
Ideally this segmentation of tasks is implemented by a platform with a rules engine that can be configured using rules created by the company’s end-user experts. The platform should provide a self-service portal that asks the supplier a series of questions during the on-boarding / registration process and at other times (e.g. annual update or some risk threshold exceeded). Based on how the supplier answers, further questions are asked using the rules designed by the expert. For examples, see side bar.
In this way, suppliers are micro-segmented, based on the policies and rules created by the company’s own internal experts. This ensures the appropriate labor-intensive tactical tasks are performed, only when needed, based on the risk-exposure rules (type of service/product, geography, etc.), ensuring the right data is collected and the appropriate resources are applied. This provides optimal deployment of limited risk management resources, based on the actual risks.
Co-managing Supplier Risk
What is Co-Management?
Co-management is different than outsourcing (as in Business Process Outsourcing where an entire function is handed over to an external entity). With a co-managed process, the company maintains key responsibilities and functions, but processes are interwoven with key activities and supporting tasks done by the external service provider, wherever it makes the most sense. The co-managed process typically has a well-defined set of hand-offs between the internal and external teams as the process is executed, with both teams working together as one unit.1
Done right, this is not your typical “throw it over the wall” business process outsourcing. Rather, the tactical tasks need to be interwoven into the firm’s overall supplier management processes. These are co-managed processes rather than fully outsourced processes. For example, supplier on-boarding may be initiated and managed by a commodity manager or buyer in the sourcing and procurement group, who sends the invitation, interacts with the supplier and monitors progress. But this could trigger key tasks at each step done by a third party, such as launching a survey, requesting certificates, validating responses, and so forth. All of the information is then collected and is available to the internal sourcing and risk and compliance team members and decision maker.
Figure 2 - Example Co-Managed Supplier On-boarding Process—Insurance Requirements Verification
As shown in Figure 2, these co-managed activities can be done by a combination of the internal sourcing or risk staff, the supplier portal / risk management platform, the supplier/trading partner, and third party co-managed service provider. Key activities include:
Strategy, Program Design, Governance—Knowledgeable, empowered senior staff should lead the design and creation of risk programs.
Policy Making, Rules Design, Segmentation—Subject matter experts create the policies and design the rules so that the right diligence is done for each circumstance.
Platform Design, Implementation, Updating—The platform executes those rules. Often the solution provider or system integrator will provide the technology expertise to implement the platform, working hand-in-hand with the subject matter experts to configure the rules engine and workflows. Internal IT staff may learn how to take over the configuration and management of the system or it may be run by the service provider as an ongoing managed service.
Keeping Up-to-Date with Regulations, Customer Mandates—A third party can help tremendously with this herculean task, updating the platform as needed and, when necessary, alerting the internal experts when regulatory changes will impact strategy, policy, program, and rules.
Data Collection and Management—This is the type of tactical, labor-intensive activity well-suited to a third party that specializes in collecting and organizing surveys, supplier data, etc. A good technology platform can reduce the workload greatly, while ensuring data accuracy and completeness.
Screening, Due Diligence, Follow-up—Labor-intensive tasks well-suited to specialist service providers.
Ongoing Monitoring and Alerts—A good monitoring and alerting platform is key. But somebody has to be there to initiate corrective actions. This can be a co-managed process, with a third party being the first line of action for mundane alerts while internal experts handle more complex or high consequence issues.
Mitigation and Remediation—A good platform provides tools to organize the response. Internal experts within a company need to own the response to ensure that large looming risks are being properly resolved.
The ROI of Co-Managed Supplier Risk Management
There are two sides to the ROI equation for co-managed supplier risk management:
Reducing Cost-of-Diligence—the total amount spent in supplier due diligence and risk management
Reducing Cost-of-Damages—the ongoing risks; likelihood and actual cost of supplier-induced damages
Supplier Risk-Cost Tradeoff
Managing supplier risk is a tradeoff between the cost of diligence vs. the cost and likelihood of actual damages caused by suppliers, directly or indirectly. Normally, more spent on diligence results in lower actual damages, but it reaches a point of diminishing returns. Disciplines, process improvements, and systems that reduce the cost of diligence while simultaneously reducing the risks of supplier-induced damages are more valuable than just throwing more resources at the problem. This is akin to ‘moving the efficient frontier.’
Many if not most companies are quite inefficient at tactical supplier diligence processes. They have a hodge-podge of procurement professionals chasing suppliers to fill out surveys and submit insurance and other certificates; safety people chasing down suppliers’ safety guidelines/manuals or OSHA incident report; legal chasing down their FCPA or CFPB program compliance; and so forth. For most of these people, this is an ancillary part of their job (and often one of the least rewarding parts). Further, these are often not unified in one system, so finding the information after it is collected can be like searching for a needle in a haystack, wasting more precious time and resources.
There are a number of reasons that third parties that specialize in providing tactical supplier risk management services can do them much more cost-effectively than in-house efforts:
Economies of Scale—Third parties that serve hundreds of companies can realize efficiencies not possible in individual companies. When there are significant overlaps in the supplier base of the provider’s clients, then the data can be collected once and reused many times, especially for standard data.
Economies of Specialization—The service provider specializes in these tactical tasks. It is their core competency, not an ancillary task as it is for internal teams. This enables the third party to learn over time and make the investments needed to become excellent at these tasks.
Investment in Technology—Because it is core to their business, service providers will typically invest heavily in platforms to streamline the collection, maintenance, monitoring, and searching of supplier risk documents, certificates, surveys, and data. This not only saves a tremendous amount of labor, but dramatically improves the consistency and quality of the data collected. It also allows for supplier self-service and ease of locating documents and data in a centralized repository.
Accumulated Expertise—Experienced providers have developed methodologies, processes, and libraries of templates using knowledge accumulated over the years. Having worked with hundreds of different companies, they have learned what works and doesn’t work and can guide clients to best practices.
Up to date—Often a provider has a team dedicated to keeping up with regulatory changes, denied party list updates, and legislation, to make sure their clients stay in compliance. It is virtually impossible for an internal team to dedicate this level or resources to staying current on such a huge volume of regulation and rules.
Because it takes so much effort and the people doing the chasing may feel it is not their top priority, many organizations simply do less of the required diligence and/or do it very inconsistently. This results in increased exposures and a resulting increase in supplier incidents, accidents, law suits, insurance claims, regulatory audits and fines, and getting the company’s name in the newspaper in ways that do not make the C-team or shareholders happy.
Many of these damages can be measured on an annual basis, such as the number and cost of supplier accidents per year, number and cost of law suits or insurance claims filed per year across the firm, and so forth. For less frequent risks, the cost and probability of supplier damage can be estimated, such as potential impact of FCPA violations, exposure and cost of IP compromise, theft of corporate secrets or valuable property theft, impact of IT security breaches, and so on.
A co-managed process can help to significantly reduce the cost-of-damages in several ways:
Improved Initial Risk Awareness/Identification—More risks are exposed during the due diligence process, at which time actions can be taken to avoid those risks (e.g. insist on proper insurance, use another supplier, etc.) thereby reducing future losses.
Increased Completeness of Risk Diligence / Number of Suppliers Managed—When properly integrated into a firm’s supplier management processes, these systems create consistency in diligence across the enterprise, which is especially critical for decentralized procurement decisions. The disciplines, processes, and systems brought by an experienced third party provider can generate huge improvements in the number and percent of suppliers for which the proper due diligence is performed and the depth and completeness of that diligence. The result is a dramatic reduction in incidents and damages.
Improved Ongoing Risk Awareness and Response—When a third party service has well-developed monitoring capabilities, then emergent risks are discovered much sooner as they arise, giving more time to deal with them. Combined with mature technology for instantly gathering all of the right intelligence, the internal team has more options and can execute an optimal response, further avoiding losses.
By measuring your firm’s current cost-of-diligence and cost-of-damages and the potential improvements to both, a strong case can be made based on the ROI of co-managed tactical supplier risk management. The ROI is even more pronounced when the program is supplier-funded, as many companies have done.