CPO Agenda Supply Chain Risk and Corporate Reputation

ROUNDTABLE: REPUTATION

48 CPO AGENDA | AUTUMN 2012 www.cpoagenda.com

HOW CAN MANAGING SUPPLY CHAINS MITIGATE RISKS TO CORPORATE REPUTATION?

In our latest roundtable debate, senior buyers discuss procurement and risk, and ask how their companies

and organisations manage corporate reputation. The event was sponsored by Achilles

Roundtable.48-53.1.cr.indd 48 12/09/2012 12:18

www.cpoagenda.com AUTUMN 2012 | CPO AGENDA 49

Rebecca Ellinor (RE): Are organisations yet connecting risk and reputation?

Jean Olivier Billes (JB): Not enough. They might do it through a marketing department, or other department, in order to improve their reputation, but I don’t think they use procurement much on this. Most of the time, targets cost savings and they are more short-term, whereas when your reputation is aff ected, it can be a problem in the long term.

RE: Do you have to educate people?

Kirsty Bower (KB): It is 50-50. They do get it when it aff ects them directly. For example, they understand we need to attract the best companies to come and do our construction. They don’t get the other end of it, that if you breach EU Regulations that can aff ect reputation.

Dan Quinn (DQ): The role procurement can have in identifying and managing risks that

Participants: (clockwise from left)

Ian Campbell, business development manager,

Achilles Gary Hills, head of capital

development, BBCSue Ferm, supply

management director, AtkinsJean Olivier Billes, regional

procurement director, SunGard

Rebecca Ellinor (chair), managing editor, Supply

Management Dan Quinn, new sector development director,

Achilles Kirsty Bower, head of

procurement, Affi nity SuttonNick Brazier, CPO, BNP

Paribas UK (centre) Tim Astley,

regional practice leader, strategic risk and business

resilience, Zurich

THE PANEL

could impact on reputation is rarely under-stood. Some sectors understand this better than others and unfortunately some won’t get it until they have their own public and expensive problems.

Ian Campbell (IC): Everybody makes the link between reputation and risk. However, it is about early identifi cation – knowing where risk is going to come from and for each category of corporate policy.

Gary Hills (GH): It is a constant thought – reputation risk – in the BBC. It is always there for slightly diff erent reasons. It doesn’t aff ect our share price, but being publicly accountable there are plenty of organisa-tions out there ready to pick up anything that happens and publish it to the public.

Sue Ferm (SF): There is an understanding that there is a reputational risk, but is the connection to the procurement and supply chain made? Only when something happens

is there an assessment of what process is in place and what audit trail you have.

Nick Brazier (NB): As an investment bank, we have a keen eye on reputation, certainly over the past few years. We have started to try and turn it into something that we can track and measure and we can take action against those warning signs. It is becoming more of a process, more of a governance factor.

Tim Astley (TA): The key thing is to recognise reputation as one consequence of risk. Procurement clearly has a central func-tion in supply chain and value chain evaluation, but businesses should be taking an holistic view to try and evaluate the risk. It is there in different guises in diff erent organisations.

RE: Are you saying that procurement might well have its own process to try to protect itself against risk to reputation, but the other parts of the organisation



don’t have it and then there is only so much procurement can do on its own?

TA: Yes. If you do take an isolated perspective, you run the risk of running into operational imperatives, like procurement – cost, qual-ity, delivery – to the exclusion of some of the broader risks and issues that an enterprise might be exposed to. It is only when you take those issues together and the perspective of diff erent functions that you can get a full view.

NB: Once we start understanding what the risks are and start having processes, we only have to make sure the people we work with and our stakeholders understand we need to go through these steps, by showing them what the impact would be.

JB: It is more about educating at the top sometimes. For example, they will build a reputation with the focus on quality of ser-vices, but they will not anticipate any risks to avoid any future issues.

SF: Organisations are so diff erent in terms of who the process owner of risk is – group risk, director of a corporate risk, director or whoever. Theoretically someone should own that because that is when you can get all the strands of the business together.

NB: We are starting to co-ordinate more with other teams that in their own way have also had to start looking at this: BCM, or IT secu-rity, for example. Because they have their own processes, we are starting to build them into our central process as we are looking at vendors. Where other areas of the business are already developed and are quite mature

developed we then see three levels of risk: one is the broad environment – the generic exposures that a company might be exposed to, for example fl ood zones. Then it is opera-tional issues – what is the supplier’s performance? Then it is about looking at the supplier’s own environment – what are the relationships like?

JB: It is even more complex now. You have to understand the supply chain of your sup-plier, of other partners if they are in another part of the world, or another region. There are diff erent regulations, diff erent situations to deal with.

GH: You can structure that as much as you like to specifi c areas of risk. That takes in fi nance, health and safety performance and lots of other things there. You give them weighted scores and have a panel to score responses and moderate answers. You allo-cate sections out to specifi c people or subject matter experts. Then they moderate together later on to give an overall score. There might be absolute criteria that people have to meet with regard to financials and things like that. It all feeds into the reputation risk.

SF: We have a supply chain knowledge centre that we have developed in-house. It is part of our pre-qualifi cation process; it identifi es risk with that particular supplier or contrac-tor. It is a standard checklist and a very similar panel, so we have three people who look through the diff erent elements of that pre-qual process. It would record any risks – red and amber risks are highlighted on the portal eff ectively. Evaluation will be done as a subset of that.

A lot of our suppliers will have to do the same approval process for everybody they work for in a diff erent guise, so we all create a diff erent version. We have talked about a standard model [within the industry] that

then you can pull them in, but we can’t be the leading light for every area of the business.

RE: Are others fi nding procurement is leading on this area?

NB: Yes, part of it is picked up by corporate communications to make sure. But they don’t have an eye across the business as to what is going on every day.

TA: The main custodians of reputation are the board of directors. Where we have seen traction on the importance of supply chain risk, it has been driven from the board.

DQ: I am sure if some of the automotive or tech companies impacted by the Japanese or Thai disasters had predicted some of the risks of having a manufacturing cluster in an area that is likely to be fl ooded or have earth-quakes, they would have been more motivated to invest in managing it.

JB: Or it could have already been coming from procurement, by having a back-up plan, or a dual sourcing strategy where you have one vendor in this part of the world and another one somewhere else.

RE: What other processes or systems do your organisations have in place?

NB: We developed our own basic Excel-based measurement assessment tool, which looks at criticality at risk on two axes. There are 16 questions – simple radio buttons that you pick from multiple selection answers and it rates a vendor, plots them on a graph and tells you whether they are high, medium or low risk. If it is high risk you might put an action plan in place to mitigate the risk you have identifi ed and that is a very high level view of what we have done.

TA: Once the critical risks have been

“If some of the automotive fi rms impacted by the Japanese disaster

had predicted risks, they would have been motivated to manage it”




we all aim for that would give us the perspec-tive on a plate, so we are all working on the same information.

DQ: Achilles has an approach to looking across the whole sector. Suppliers collabo-rate in non-competitive areas to make the whole process much more effi cient for both buyers and suppliers. In eff ect, they are cre-ating sector-wide standards and consistency, which facilitates the prequalification of suppliers across the entire sector.

RE: Do you make it part of the risk analysis of your suppliers that the onus is on them to look at the risk of their suppliers?

NB: Historically that is how we have done it: relied on the vendor and put things in the contract and SLAs, but increasingly we are not happy with that. The onus still needs to be on the tier one vendor, but we need to be getting more information more regularly.

GH: We have changed our approach to some contracts, whereby we demand certain areas are self-delivered so you have that bit more control over risks there and are able to audit.

RE: Is it easier to get fi rms to make a change when something goes wrong?

NB: Over the past few years in procurement we have been honing our skills and processes to at least start to take more of a governance-based approach to risk. When something happens, you get a sudden step change and you leap forward a couple of years’ worth of organic development in a few months.

GH: Sometimes you do have to wait for an incident. If we put proposals forward that are not accepted by the board, you have to highlight the risk and then it is a decision on the likelihood which may then be out of your hands as to whether the business accepts it.

TA: A risk manager will try to get them to do things to stop things happening in the future, rather than waiting for them to happen.

RE: Any tips on how you make that argu-ment to the board, to get them to invest?

JB: One solution could be to present some

cases – and their consequences – that happened in the same sector and industry.

TA: Our actuaries like to see real data in order to price the risk. We found there wasn’t any coherent data out there, so we set up our own supply chain loss event database, which goes back 10 years, and codifi es loss events by sector, loss type and region. It covers all issues that give rise to a supply disruption.

NB: The other driver can be legislation, of course, in terms of how vendors are treated by large organisations.

RE: Kirsty, as a small organisation do you fi nd it easier to be connected to all of these other parts of the business and to see where the risks might occur?

KB: In terms of the front-end of the procure-ment process, if we are leading a new contract it is easy for us to pull in all the right people, to make sure we have the risk. We struggle with the back end as the contracts go to the operational departments.

We have our audit director and the audit team measures the risk register. We have a risk board. Each year our internal auditors will look at all the contracts they have, and each time we hand the contract over, we make sure that we not just train the contract manager, but anyone else who that contract will have an impact on during its life.

A lot of the risk management comes out about the day-to-day relationship you have with the guy on the other side of the table.

RE: If you don’t have that relationship with those suppliers there are things you are

never going to fi nd out – it is about the private companies and trying to get the fi nancial information. Is that a key part of your risk management strategies?

NB: Yes. Some of our vendors might be stra-tegic by nature because they are the only provider of some software or whatever. They are a partner, whether you want them to be or not and you need to be working very closely with them to make sure you are always aligned. You can’t be surprised by anything with some of these vendors because it would immediately have a serious impact on operation.

TA: The challenge is when you have a sup-plier that is strategic to you, you look at how important you are to them, and it may be very diff erent. That is another issue that needs to be addressed. If you know you are number 20 in their list of priorities then that tells you something about how they will respond in the event of a supply shortage.

KB: We brand ourselves as one of the top 10 housing associations, but if you take it out to the wider world, we are tiny. The mentality of the staff is that they expect suppliers to fall at our feet. We have put a simply policy in place and said nobody in the business can meet a supplier unless they have gone through a commercial awareness training, so at least they know what they can say and what they can’t say.

GH: We have the strategic relations board (STAR) for the major contracts. You have the main board, driven by procurement, but you have to produce an annual report on the




suppliers that are within the STAR contracts. There is also a six-month health check, so you have to report on the risks that you think exist and report up.

NB: If we have a high risk we will put an action plan in place, but rather than just every two years, we might go through every quarter. Then we hand the contract over. The person you are handing it to is not going to have the time to do what you think they are going to do, so you have to have structure in the contract.

RE: How do you work out who your critical suppliers are?

NB: We have done it two ways: by spend, but also looked across main categories and identifi ed the vendors that are strategically critical to us.

TA: We try and look at it from a value view-point – what is the impact on the output of an organisation, whether it is reputation, market share or profi t – and try and work backwards from there and map the various connections from a value perspective rather than an expense perspective.

RE: Are there certain things people don’t consider a risk – because they are too often just looking at where the spend is?

DQ: Undoubtedly, in many cases they are focusing on the core of the business to understand where things are likely to go wrong. But inevitably when something does goes wrong it is because they are blindsided by something unexpected.

GH: We are looking at the contracts now saying: “Shall we deliver this in-house because we are not transferring the risk, but we are paying a premium for it?” Just look-ing at whether risk transfer is really achievable. I definitely don’t think it is with reputation.

SF: We do a tiering based on spend and con-tract so it is about opportunity more than risk. It drives how we manage the money terms and frequency reviews, and so on.

RE: So how do you deal with problems when disaster strikes? Have you dealt with it swiftly or had a back-up plan?

NB: That is where the value of your relation-ships comes in, how close you have managed to be with your vendor.

TA: It is not just about managing upstream, the impact of whatever diffi culty has been had, but to the extent that it might impact the customers and the sales and marketing people in the organisation, having them engaged and integrating them into the pro-cess so they can be communicating with their customers if there are supply prob-lems to be addressed or to be recognised. Then customers can view issues sympa-thetically which can go a long way to enhance a reputation.

We were involved with a European tele-coms company that lost a network as a result of a fi re. The fi rst thing it did was communicate with key customers and handed out mobile phones because this was part of its plan. This was what it anticipated. Even though the network was out for a week

and it was a massive inconvenience, these customers remembered that this company had handed out mobiles and dealt with it.

DQ: High impact, low probability, “black swan” events will occur. Catastrophes will occur. Do you think organisations can still get away with the excuse of “It is a low probability so we didn’t manage it”?

GH: If you recognise it. As long as you have an audited trail of the decisions made and why.

TA: It’s a good point about the planning issue and how far down the probability curve you go; it is like trying to second guess every event that is going to happen. We were asked after the Iceland volcano: “Does that mean I now have to study all of the Northwest European volcanoes to under-stand where the next volcanic threat is?” Those disrupted were dependent on Northwest European airspace to transport goods. It is trying to pull away from really specifi c triggers and think about generics. Otherwise you would never get it done.

IC: What about every day risks that are very transactional, for instance, consultants coming onsite – they are handling your data.

NB: For consultants, we have a very strin-gent on-boarding policy for coming into the business, having IT access, have access to confi dential information, IP related issues, confi dentiality issues. In a way, because that is a tangible thing, we fi nd it easier to con-trol. One thing I see a lot more of which has a big reputational risk attached to it is data: everything we do now takes an extra month’s negotiation on data protection. That is a real developing area that no one has nice handy clause they can just throw at a contract; eve-rything seems to need to be tailored around diff erent services and diff erent scenarios.

TA: Clearly, the data issues are similar across all sectors. Cyber risk is not a new issue, and I doubt whether it is restricted to supply chains. Cyber exposure – whether it is data, virus attack or systems’ interconnectedness – there is so much dependence upon that whole area of technology and connections.


GH: It can be restrictive as well – our infor-mation security restricts possible changes that would improve processes. There are areas that I have highlighted where the business has responded negatively – they won’t take that risk. You are preventing business improvement in some cases.

TA: This issue of inter-connectedness is now at the top of a lot of people’s agendas. Diff erent entities have information on sup-pliers at diff erent levels of a particular value chain, if you like, and it is just joining these dots together that, in time, will start to give more visibility. You do come across confi dentiality issues and the ability to share data.

RE: How do you go about identifying your suppliers’ suppliers?

SF: We ask them who they are and what was their process for managing their sup-ply chain. Again, as we get further down the supply chain, that becomes less and less in terms of documented processes. You just have to assess the risk based on the limited knowledge, or limited information you are given.

NB: For us, if it is a sensitive process being outsourced, then we will want to validate. Beyond that, certainly at the start of the contract we would validate the proposed – lower down the chain, the subcontrac-tors. On some that aren’t very sensitive we would put the onus on them and it would be down to them to manage and deliver the service as they see fit, within the parameters we set.

GH: If we deliver projects on time and in budget and without any disruption, then the business looks to you much quicker than it would to do somebody else and it tries and carries out its own procurement. Make it easy and effi cient for your internal customers for them to follow your own preferred procurement route. Avoiding any of those risks you can then advance your own standing in an organisation.

NB: If you have a good reputation as an organisation, you can probably get

your hands on innovative products before others.

TA: Apple recently has gone out and listed its key suppliers so they are public informa-tion. I am sure one reason it has done that is now there is a whole list of people who can freely talk about how good Apple is as a customer, which will enhance Apple’s reputation.

SF: Clients are very interested in how our supply chain views us. In the bid process that we go through it is a key question that says: “How do you measure this? How do you get feedback? What are they saying about you?”

NB: You can’t always mitigate risk when it is there anyway – sometimes you just have to live with it and you have to appreciate that sometimes. If you need something and your business has one source of supply and they happen to not be very solvent, you have to live with it. You can’t have a black and white tick box: “if you can’t tick that box you are not coming on to the RFP” approach.

GH: Sometimes things that are that rigid will be losing out in certain areas.

SF: We did have a debate as to whether we should extend our process. We decided we would just test they have a process in place and go with that. It was a decision point that said our resource is better used over here.

RE: What about putting opportunity and risk together? Does anybody have examples of that, where you can attract better suppliers, or more customers?

JB: If you are compliant in terms of soft-ware and you sell software solutions packages, then it is good for your image,

your customers and your reputation. It is indirect – I am not sure you can measure this – but in the long term you build a ‘brandable’ company. KB: When we do the business case for any new contract we are going to procure, we try to understand who might be interested in it, why and what type of customer we might be to them. Then you can start to understand the best way to put the con-tract out there to attract the right people and discourage the people it is not going to fit with. It is almost like a reverse contract; what are we to them?

“If you have a good reputation as an organisation you can probably

get your hands on innovative products before others”



CPO Agenda Supply Chain Risk and Corporate Reputation

Documents

Transcript of CPO Agenda Supply Chain Risk and Corporate Reputation