It seems that one of the hottest topics in risk management today, along with cyber, is that of Supply-chain Risk Management (SCRM), and rightly so as companies struggle to keep up with global complexities. While this topic is almost certain to continue to gain attention for years to come, I am concerned about some of the solutions and advice being offered by many consultants, big and small. Many of these firms are offering projects to map supply-chains, focus on “top spend” vendors and strengthening resiliency. While these seem like logical things to do, many don’t make sense and can actually do more harm than good. As I found out through the design and implementation of a number of SCRM processes, one being a Fortune 50 aerospace company, prior to committing to some of these types of projects, it is best to establish an SCRM organization and good governance oversight around risk management to ensure sustainability and effectiveness. Unfortunately, I rarely hear much discussion about SCRM governance. Such a discipline has the power to align the organization and increase the effectiveness of communications about risk matters. This is powerful!
When it comes to SCRM governance, some consultants and BCM practitioners are advocating for SCRM to be part of Business Continuity Management (BCM). I concede that an interruption in supply-chain can cause business disruption which is precisely why consultants and practitioners often want BCM to govern the SCRM process. What seems logical is actually illogical. SCRM is best left to the SCM organization to establish and run themselves. Call it self-governance but after all, they are the experts with the tribal knowledge about the company’s supply-chain. Take an integration approach of the SCRM process with related areas like Enterprise Risk Management (ERM) and BCM, you now have the potential to increase effectiveness substantially which can naturally achieve great things like improved performance and resiliency.
Based on my experience, the best way to establish integrated governance is for the SCM organization to develop a risk process in the form of a Risk Management Plan that is consistent and easily integrated with the company’s existing ERM process. The risk management plan will usually define a SCM Risk Committee chaired by the senior leader of the organization with representation from all facets of SCM. The committee reviews together, usually monthly, a list of risks that come from the disparate SCM organizations. In some cases, the ERM leader may attend committee meetings; however, established escalation criteria usually govern the elevation of risks to the enterprise level when necessary, even outside of standard review cycles.
With good governance and a robust organization, there is still a need for tools. When it comes to tools for SCRM, there are many to choose from and often they are acquired in SCM silos instead of through a strategic plan that integrates across the organization. By establishing the SCM Risk Committee mentioned previously, SCM has a better chance of obtaining tools that align across the organization and integrate silos. While I don’t advocate any particular set of tools, I have found that there are several capabilities that are necessary for a company to effectively identify and manage supply-chain risks. A subset of these capabilities that I like to have are:
- Intelligence gathering on vendor companies which includes intelligence about their leaders, finances, breaking news, major customer announcements, among many other things. I typically develop a scorecard of data points which I seek to gather. With intelligence gathered by “web-crawlers” as one example, I can batch information by company or individual in weekly reports to process it quickly and efficiently. It is amazing how much information can be gathered just by setting up alerts for the right elements that you need to be predictive about your suppliers.
- Network-mapping is another powerful tool and capability to have. Unfortunately, most firms sell the idea that they are going to come in and map your entire supply-chain. That is almost impossible given the fact that once you get below the Tier I suppliers, you may obtain 30% of Tier II suppliers and then beyond that into the Tier III and so on, the supply-chain is too obscure and dynamic to accurately document. Nevertheless, good intelligence gathering and a good network mapping tool can unlock some of the obscurity and provide sustainable insights for your organization, but this is an iterative and long-term quest. To support your mapping activities, build personal and authentic relationships with your suppliers that are mutually respectful. You will learn more about your suppliers and who supplies them as a result.
- Real-time geolocation monitoring sounds like science fiction to some but it’s quite readily available and easy to implement. This is a capability that allows you to plot known vendors on a global map and then establish real-time alerts based on anything from weather and political unrest to earthquakes and tsunamis. In my case, we monitored tornados tracking by critical suppliers and even earthquake and tsunami impact areas in real-time. This information enabled us to make highly informed decisions, but the timeliness of those decisions proved even more critical. As we found out, hours, minutes, and even seconds count when it means obtaining supplies ahead of your competitors.
- Financial monitoring of critical suppliers is obviously necessary and while Dunn & Bradstreet among others provide good information in this area, most companies use boiler-plate vendor contracts that never require vendors to provide financial or risk information. This is a missed opportunity that I often see, but requiring financials quarterly from your vendors and looking at things like aging accruals as part of the “supplier delivery requirement” is not unreasonable and it can give you insights into financial health much sooner than some of the subscription organizations who often only receive their information yearly.
Regardless of what information you find critical for your SCM organization, there are a host of companies ready and willing to sell those services; however, for many companies, they are not affordable. As an alternative, there are some disruptive services available as “freeware,” “shareware,” or SaaS subscriptions which in many cases provide better information than what some companies offer for thousands of dollars. While your IT department may have a headache with this concept, they usually have a process available to obtain these applications as long as there is a justifiable business need, even in a Fortune 50 company as was my case. In the end, for very little investment, you can have a SCM “war room” that is identifying, monitoring, and projecting real-time data, much like NASA’s Johnson Space Center. This SCRM system of governance and tools can save your company multiples on any investment that will ever be made and at the same time support resiliency, agility, and strategic objectives through practical and sustainable initiatives.
Sid Feagin is a risk management Subject Matter Expert who has organically designed, implemented, and managed numerous risk management processes to support Enterprise Risk Management, Supply-chain Risk Management, and Project Risk Management across many industries. His processes have gained the attention of senior government officials, Board members, and Corporate Officers and have also led to substantial cost avoidance, savings, and efficiencies well into the millions. Known for his sustainable and executable solutions, he provides fractional risk manager services for companies seeking to outsource non-core competencies as well as risk management coaching, and consulting.