Supplier Risk Management: Joining Best Practices with ... · Joining Best Practices with Technology...

Supplier Risk Management:Joining Best Practices with Technology

Hankamer School of BusinessMBA ProgramFocus Firm

Sponsored By:Baylor Research Team:

Joe GastlerAude BraleyJared Haney

Sarah HillAaron Peavy

SAP Partner:Eric Coker

Latest Revision:June 22, 2015

Supplier Risk Management: Joining Best Practices with Technology

Copyright © 2015 Ariba, Inc. All rights reserved.

EXECUTIVE RESEARCH SUMMARY

Supplier Risk Management Is Real Opportunity

It is time to get serious about supplier risk management. For starters, only 41% of CPOs are heavily involved in risk management activities according to Deloitte. Supplier or vendor risk has risen in priority with large enterprises in recent years to drive further value in sourcing and supplier management activities. Traditionally, companies have tracked their supplier risk with operational Key Performance Indicators (KPIs) such as on-time delivery, quality, and spend levels per supplier. However, many other risk categories are left unserved such as financial, regulatory, geopolitical, environmental / sustainability, and reputational / brand risks. What opportunities exist today and in the future for companies to minimize supplier risk, protect margin, and drive more incremental value from supply chains?

This paper focuses on the key findings by the research conducted by Baylor University on organizational supplier risk management practices.

Key Questions

The Baylor team conducted this research with a primary focus on three key areas:

1. How do companies structure and execute supplier risk programs?

2. What types of supplier risk are companies measuring? How are they using their results and KPIs to manage their overall supply chain?

3. Given this information, what features, components, or tools would the ideal supplier risk management technology contain?

Key Findings from Interviews

The findings in this report are based on interviews that Baylor University conducted with 33 companies spanning multiple industry verticals.

Major observations on the current state of supplier risk management yielded these patterns:

1. Companies are currently only measuring historical operational and financial performance rather than measuring comprehensive supplier risk

2. There is no consensus on which KPIs/KRIs are valuable for evaluating a supplier’s risk profile

3. On-boarding suppliers is the cornerstone practice for mitigating supplier risk with little to none ongoing monitoring.

4. A small minority of companies are utilizing Big Data and predictive analytics in their supplier risk management practices

The last century brought massive globalization to the international business community. The effects of this move towards globalization are far-reaching, but perhaps one of the most notable areas impacted has been supplier management. Supplier management issues stretch the world over – from farm to table, from oil platform to gas pumps, from laboratory to pharmacy. These issues are full of nuance, complexity, rules, regulations, and standards.

2



The issues comprising supplier management are diverse. Management, innovation, information, work structure, and culture all work (or fail to work) in concert with one another. During the early part of the 21st century, another component issue of supplier management has risen to critical levels of importance: supplier risk management.

The Time Is Now

Why is supplier risk suddenly gaining the spotlight? There are several factors. Some are very general business trends: globalization, speed of business, and competition. As supplier networks stretch the world over, they increase in complexity. The complexity associated with a global supply chain often has the positive effect of improving gross margin, as companies are able to source from the cheapest available supplier. A globalized supply network also carries the downside of magnifying the negative effects of disruption. The speed of business is ever increasing and companies with agility in their procurement and supply chain departments stand the best chance to retain competitive positions. As competition increases, margins for many at the terminus of supply chains have shrunk. In response, companies with the resources and wherewithal to do so have invested in diligent management of their supply chain to protect their company’s top and bottom-line.

These general business trends help explain the natural emergence of supplier risk management, including increasingly higher levels of spend on supplier management technology. Out of this increased spend on supplier management solutions, little carve-out has been strategically allocated to the discipline of risk management. To help explain this trend, one must look to signpost events.

Drivers

Supplier management is, in many companies, a discipline that takes a backseat to more “glamorous” functions like marketing, product development, sales, or even financial analysis. Specifically, supplier risk programs have not gained seats at the strategic table yet. Over the last few years, focus has been placed on maintaining supplier data accuracy and capabilities for supplier portals and efficient collaborative workflow. Supplier risk insights and analysis are just now getting visibility as significant challenges that need solutions.

There have been significant events in the last decade that have sent signals rippling through the global business community. These events have given businesses pause to consider how their supply chain could be vulnerable to a similar event – and how it might hurt their company’s future. A few examples:

• Financial Crisis – The global recession in 2008-2009 exposed the financial weakness of long-established firms, many of whom were suddenly insolvent.

• Tsunami – The struggles of companies like Nissan and Toyota to continue their supply network unabated in the aftermath of the tsunami in Japan are well documented. These struggles have caused many companies to give closer consideration to their trans-Pacific supplier relationships.

• Data Breach – Cyber security is an emerging frontier in business, and its implications for supplier risk are clear. Sony suffered a significant security breach that revealed their internal strategies to the world. Relationships were strained, and Sony lost value.

3



• Tier Depth – McDonald’s sources meat for their Asian markets through OSI. OSI is a large slaughterhouse company that has multiple partners, some of whom are independent. In 2014, it was publicly reported that one of these partners was recently caught packaging expired meat for use at McDonald’s restaurants, temporarily slowing Asian market expansion and reputational damage.

These trends, both general and specific, along with research conducted by some of the leading firms in the country (ex. Deloitte, Accenture, McKinsey, Hackett) and research conducted by the team from Baylor all point to the same conclusion:

Supplier Risk Management matters.

MARKET TRENDS AND ANALYSIS

The team identified several trends through their research, both from primary and secondary sources.

Vision

A consistent theme emerges from both the interview findings and the scholarly research – companies simply are not thinking outside the box on supplier risk management. To be fair, there are constraints.

Companies with very lean fiscal controls, mostly SME or small-cap companies, have limited resources to allocate for supplier management. They put their time, money, and resources towards sales, marketing, or product development, rather than focusing on an issue that seemingly only matters when something “goes wrong.” This attitude permeates upwards into larger companies.

At a leading restaurant chain, for example, a team of four FTEs handles the majority of supplier management for approximately 300 restaurants. With a 3-year top-line CAGR above 200%, effectively managing their growing supplier network is an increasing struggle.

A trend is emerging. It is beginning with some of the largest companies in the world. These companies with vast and immense supplier networks are pouring their resources into processes that ensure supplier disruption is minimized. They are tracking risks associated with labor disputes, weather patterns, brand reputations, sustainability, and more – on an ongoing basis.

The rest of the business world – the 99% – are essentially mitigating supplier risk the way they always have: analysis of Key Performance Indicators such as timeliness, on-time delivery, and quality. A few companies include regulatory, compliance, or pricing issues in their risk assessment, often performed by manual processes.

Supplier risk management is diverse, but companies known for their ability to sustain competitive advantage will evolve their capabilities in this area. More companies will look to replicate the strategy of driving value from supplier risk mitigation.

4



Key Risk Indicators

There are associated growing pains with the global business community enhancing supplier risk evaluation capabilities. As companies seek to establish the standards by which they measure supplier risk, they are growing these metrics out of traditional KPIs. Companies are typically doing this in isolation, identifying those risk components important to their firm. Both of these trends carry risks of their own.

Companies have long-used operational or performance KPIs to assess supplier relationships. Performance in areas of timeliness, quality, and price are relatively easy to track using ERP systems and are often tabulated in Excel spreadsheets. Since this data is readily available, companies have expanded its application to measures of supplier risk in recent years; however, this does not solve the supplier risk challenge as performance makes up only a component of risk. A supplier could hit all of their deliveries at Six Sigma quality, but still carry a great deal of risk that would not appear in KPIs or on a firm’s balance sheet. An example:

Buyer A is looking for a supplier of industrial-grade carrot orange paint. They have looked into Acme Paints, Inc. All of their deliveries have been on time, the quality of the paint rivals best-in-class providers, and their prices are reasonable. Buyer A goes the extra mile and engages a third party to audit Acme Paints’ books. Everything appears to be in order. Buyer A forms a supplier relationship with Acme Paints.

Buyer A has conducted due diligence to assess both operational and financial risks. Do they have a comprehensive risk profile? No.

The marketplace is gradually shifting to the use of KRIs – Key Risk Indicators – in their risk assessment, much to their benefit. While performance is a “piece of the puzzle” for supplier risk management, the usage of KRIs suggests an ideological shift on the part of companies towards a more comprehensive model for risk evaluation.

This comprehensive model presents another major hurdle. Returning to the previous example:

Buyer A has now been using Acme Paints as their primary orange paint supplier for the last two years. It is time for Buyer A to renew their contract with Acme Paints, and their CPO has asked for a new risk evaluation. In the last two years, the manager in charge of risk evaluations, Burt, has seen the relationships between many competitors and their suppliers fail for reasons outside their normal risk evaluation.

One company faced an issue where the supplier was shut down for violating environmental standards. Another was part of a labor dispute that caused a work stoppage for a month, delaying shipment of a key component. Still another saw one of their suppliers shamed on social media for use of child labor overseas. As a result, he is trying to decide what components need to be added to Buyer A’s risk evaluation. Moreover, Burt is concerned about where he would find such information to incorporate it into a risk evaluation. He has limited time and resources.

Is this an extreme example? Yes. Yet it demonstrates the difficulty with developing a comprehensive risk evaluation. There is little to no consensus as to which KRIs should be used to form a truly comprehensive risk evaluation model, and all but the largest companies struggle with getting the information they need to form an accurate assessment.

5



Front-loaded Risk Analysis

The most common method for mitigating supplier risk is the process of on boarding. When companies are looking to establish relationships with suppliers, they perform an evaluation of that supplier before the relationship is established. Each company’s process is unique to them (an extension of the lack of consensus), but they all amount to the same: companies are trying to determine the net benefits of doing business with individual suppliers, factoring in potential costs and risks.

Unfortunately, on boarding may be the only risk mitigation process for many companies; ongoing risk monitoring is often left out of the supplier lifecycle. Best practices are calling for suitable risk monitoring in the supply chain, across multiple risk categories. Many companies are now enlightened to this paradigm in a fast-paced globalized world, but currently lack the technology tools to efficiently deploy and manage scalable supplier risk management processes.

Big Data

More than 77% of the companies surveyed for this report are not currently utilizing big data or business intelligence services as part of their risk evaluation and mitigation procedures. A recent paper from Hackett Group indicates that companies are mixed on the overall quality, availability, and pricing of the data that exists for predicting risk.

However, most mid-sized companies that do not have the ability to use big data do not see a need to invest in a large system. Budget and resources monopolize the conversation for incremental spend in this area. ROI for predictive supplier risk analysis remains unclear and differs greatly among companies. For those organizations with best-in-class technology, this capability truly allows them to minimize risk to the greatest extent.

PRIMARY FINDINGS

The following represent the important points and characteristics gleaned from the interviews conducted with the companies. Not surprisingly, the larger companies were dominantly mature in supplier risk management capabilities and practice.

• CentralizedERPsystemwithvendormasterisstandardwithacriticalneedtointegrateERPsuppliers to a supplier management system (if resident outside of ERP)

• Self-servecapabilitiesforsupplierstoupdatetheirinformationthroughERPconnectionand/orsupplier portal/network

• On-boardingistheprimaryriskmitigationstrategywhichincludesacontingencyframeworkforcritical suppliers

• Aspartofonboardingandongoingmonitoringforcriticalsuppliers,on-siteauditsareconductedby their own certified employees or through a contracted, third party

• Ongoingauditsincludequalitycontrolteams

• Supplychainmappingfordirectmaterialssuppliers:n-tiersbymaterial,partprovided

6



• In-houseproprietaryalgorithmsanddedicatedheadcounttoprovideriskscoresand/orriskquadrants for their supply base. Typically, this process is only applied to the top 10-20% of suppliers by spend and/or perceived risk level.

• Suppliermanagersand/ordatascientistsareminingBigDatatopredictriskpatternsorlikelihood of certain ‘performance’ events. One example is the prediction of weather patterns.

• OperationalKPIsarealwaystracked,howeverotherriskcategoriesaretrackedbasedontheirpriority by industry. Geopolitical, regulatory, and reputational (brand) risks are growing in importance.

o Financial risk is often the first risk evaluated before moving forward with supplier

o Few companies have engaged outsourced providers to provide reputational risk tools through social media analytics on suppliers (semantic layering)

• Extensiveuseofsupplierscorecardsandformalreporting

• Supplier360dashboardstoviewsupplieractivitiesandratings

• Supplierperformancebenchmarkingofapprovedsuppliersinsystem

o Few companies are reaching outside their own systems with outsourced vendors providing supplier benchmarking data by industry

• Suppliersegmentationbyspendlevel,region,and/orproductprovided

• Excelspreadsheetsarestilladominanttoolforcalculatingandtrackingvarioussupplierrisks

• Formanycompaniesinterviewed,NOformalsupplierriskprocesseswereinplace

Survey Responses

How do you measure supplier risk?

7



How do you measure the obtained KPIs?(i.e. What tools/methods do you use)

What risk categories do you evaluate?

What are the main supplier KPIs you track?

How do you share supplier information and KPIs internally and with company partners?

8



Do you use predictive analytics in evaluating risk?

SCHOLARLY FINDINGS

IBM1 • 60%ofcompaniesidentifysupplierriskmanagementasatopchallenge.

• Despitethischallenge,only56%ofcompaniesreporthavingabusinesscontinuityplan.

• Process,data,andtechnologyarealldrivingasolutiontoSUPPLIERMANAGEMENT.

Aberdeen2 • Best-in-classandAveragebuyersaretwiceaslikelytohavevisibilityintothestabilityoftheir

suppliersasLaggards

• 54%ofbuyerslistlackofinsightintoenterprise-widesupplierperformanceasthetoppressurein supplier management

• 30%ofbest-in-classbuyershavesuppliernetworksmappedintothe2ndand3rdtiers,whileonly 8% of all others can say the same

Taylor & Francis3 • Astudydonein2005investigated800casesofsupplydisruptionanddeterminedthatpublic

companies suffering a notable supply chain disruption experienced stock price returns 30% lower than benchmarks.

• Adifferentstudyconductedinthesameyearidentified10keyprinciplesforsupplyrisk,withthree key points:

o Diversification in sourcing is essential to mitigate risk

o Flexibility is critical for business success

o Information sharing is necessary for continuity

Yes23%

No77%

1 (Ferretti & DeMartino, 2014)2(Limberakis,2012)3 (Saghafian & Van Oyen, 2012)

9



The Hackett Group4

• 27%ofcompaniesdonothaveametricinplacetomeasurethesuccessofasupplierriskprogram

• 73%ofcompaniesdonotquantifythecostsofsupplierriskprograms

• Companiesthatallocatedresourcestosharecompetenciesandresourceswithexistingsuppliers are (on average) 2.6 times less likely to be exposed to performance-based risk

• 15%ofcompanieshavefullymappedtheirsupplychainandusedthemodeltoassesstheprobability & impact of supply disruptions. 42% are actively working to map their supply chain, while the remaining 42% are not

PWC & MIT5

• Companiesseekingtomitigaterisksrelyonthefollowing:

o Creation and implementation of business continuity plan (82%)

o Implementing a dual-sourcing strategy (79%)

o Using both regional & global strategy (78%)

o Pursuing demand collaboration with customers (72%)

o Forward-buying/Hedging Strategy (60%)

o Near-shoring Manufacturing Strategy (54%)

Summary of Scholarly Findings

Overall, the research team has identified key points from scholarly research:

• Companiesknowtheyneedbettersupplierriskmanagementandhavelisteditasatopchallenge to solve in the near future

• Themajorityoftheseprogramsarepoorlymanagedwithlackofknowledgetoassessriskandthen translate the value of doing so into ROI impact

• Alackofqualityandcomprehensivedataisobfuscatingvisibilityintosupplychains

• Businesscontinuityisthetoppriorityinmitigatingsupplierrisk–companiesareseekingtoavoid disruption

• Thereisanestablishedcorrelationbetweensupplychaindisruptionandacompany’sstockprice

Opportunities for Buyers

• StandardizesetsofKRIsmostrelevanttoyourindustryandbusinessandcreateworkflowbasedon ratings

• Leveragetechnologysolutionsthatautomatecontentsourcesforvariousriskratings(amongdifferent categories), regulation / certificate tracking, and allows dashboard views of various risk scores, ratings, and alerts

• Addriskmonitoringtothesupplierlifecycleinadditiontoonboardingforriskmitigationpractice

4 (Connaughton, 2014)5 (PwC, 2013)

10



Upgrading the Tools

Having accomplished standardization of KRIs, the next step in this process will be developing a risk evaluation tool that can incorporate all of the relevant components of risk. The team has identified several areas worthy of further study and eventual incorporation into such a model:

Environmental Risks

Beyond the obvious risks associated with sustainability or damage to the environment, risks associated with meteorological events are important and marginally predictable disruptions. Many international supply networks rely on overseas shipping routes that could be severely disrupting by hurricanes (Katrina), tsunamis (Japan), or volcanic activity (Iceland).

Brand Reputational Risks

Recently there has been increased visibility in the relationship of suppliers and companies that buy from them. If a supplier has issues with their treatment of workers or compliance with governmental regulations, then this reflects poorly on the company. Social media increases the visibility and the speed at which news travels, multiplying the impact this has on the company associated with the supplier. Companies are beginning to pay attention to the risks perceived by the public – not only of themselves, but also of their suppliers.

Data Security Risks

In recent years, the largest companies (some of them in the 1% mentioned previously) have suffered significant data breaches that have affected their supplier relationships. Sony and Target are two such examples. Data breaches at both companies have had substantial disruptive effects. According to one industry professional interviewed, data security is quickly becoming a focal point for many firms.

Labor Concerns

Earlier this year, a labor strike in California shut down the ports and prevented distribution of imports throughout the US. A handful of top companies based on market cap, were able to predict this strike out to six months in advance.

Another major mid-size company did not have the technology in order to predict the strike. They were forced to front huge costs to fly in their exports from China. Showing mid-size companies how to predict nebulous supplier risks such as labor strikes is a way to gain entry to this lucrative target market.

Speed Up Your Journey

The development of KRIs and a comprehensive risk evaluation tool are meaningful steps, but they do not solve another key area of need: the need for more information. Components of the proposed evaluation model are heavily reliant on predictive analytics, which require data to be of use.

In-memory database technology is ideally suited to this task. This architecture combined with next-gen reporting capabilities provide the bandwidth and logic to data mine social media, RSS feeds, and the global information network in general. Results can be tabulated and calculated for risk ratings and industry trends can be charted. Once these components are in place, predictive models are possible for forecasting risks.

11



The California Dockworker’s strike during the end of 2014 and 2015 provides an excellent example of how using predictive analytics can provide clients with cost-saving business intelligence. Two companies the research team spoke with during their research were directly impacted by the dockworker’s strike. One company was forced to use air-based cargo services to avoid further supply chain disruption at great cost to the company. The second company was able to predict the strike months in advance due to their use of predictive analytics, and they began rerouting shipments to other ports. As a result, they were not forced to use expensive air-based freight services and their supply chain suffered no significant disruption.

CONCLUSION

The issues surrounding supplier management are gaining in complexity. It is not a passing fad – but an important managerial consideration for supplier relationships that is in need of a smart, simple solution. It needs a welcomed seat at the strategic table for those companies needing to drive more value out of their supply chains. Very few enterprises have conquered efficient supplier risk management, covering most risk categories. For those enterprises that are at the top of the maturity curve, it has become an expensive ‘enterprise.’ However, it does not have to be expensive in the coming years. There are many technology firms invested in this discipline that will bring more structure to unstructured risk management – and at a lower cost and TCO when factoring the ‘insurance’ of minimized losses and disruptions. Supplier data remains a challenge and a non-integrated vendor master presents limitations. With the right information management capabilities and automated enrichment sources to provide risk, regulatory information and alerts, any organization will be able to firmly assess their supply chain risk and take corrective action when necessary. Furthermore, onboarding is now augmented by ongoing monitoring – driving risk management to the next level and measuring the beating pulse of suppliers. The best-in-class supplier risk management practices have adopted Big Data solutions and they are reaping additional competitive advantage by staying ahead of their suppliers with predictive risk analysis.

Bibliography

Connaughton, P. (2014). 2014 Supply Risk Management Study. New York: The Hackett Group.

Ferretti,L.,&DeMartino,B.(2014).What Every Procurement Professional Should Know About Supplier Risk Management: The IBM Story. Dallas: IBM.

Limberakis,C.G.(2012).Supplier Lifecycle Management. N/A: Aberdeen Group.

PwC. (2013). PwC and the MIT Forum for Supply Chain Innovation. Boston: PwC.

Saghafian, S., & Van Oyen, M. P. (2012). The value of flexible backup suppliers and disruption risk information. Ann Arbor: IIE Transactions.

Wilson, D. R., Adams, R., & Bergfors, M. (2015, February 4). Magic Quadrant for Strategic Sourcing Application Suites. Retrieved May 1, 2015, from gartner.com: http://www.gartner.com/document/2977817?ref=QuickSearch&sthkw=strategic%20sourcing&refval=150943205&qid=6c808e43e7e5f1b1eb6eb3bd32e65f62

12



List of Participating Companies

1. Kellogg2. Pilgrims3. J.W. Nutt4. KPMG5. Dillard’s6. Eaton7. CaseStack8. Vestcom9. HAVI (McDonalds)10. Smashburger 11. Pfizer12. Materion13. Regional Hospital 14. Johnson & Johnson15. L316. Mars 17. Darden18. Mighty Auto Parts19. Coca Cola20. McLaneFoodServices21. DraytonMcLane22. Brinkman23. Cisco24. IBM25. Time Manufacturing Company 26. HEB27. Chipotle 28. 3M29. Monsanto30. RJ Reynolds Tobacco 31. Sony

Companies 32 & 33 asked to remain completely anonymous for the purposes of this report.

13

Supplier Risk Management: Joining Best Practices with ... · Joining Best Practices with Technology...

Documents

Transcript of Supplier Risk Management: Joining Best Practices with ... · Joining Best Practices with Technology...