The association of choice for risk management

Professionals in the Asia Pacific Region

Whitepaper November 2016

Managing Supply Chain Risk A White Paper detailing key

elements of a robust supply chain risk

management framework

Writtenby:

GuyUnderwood,CPRM,AFRMIA

ManagingDirector,PKFForensicandRiskServices

DaleCochrane,AMBCI,DBCI

SeniorConsultant,BusinessContinuity,NationalAustraliaBank

CHAPTER ONE – INTRODUCTION AND CONTEXT

According to the Oxford Dictionary, a supply chain is “the sequence of processes involved in the production and distribution of a commodity.” In layman’s terms, it is the relationship between entities that results in goods and services being produced for consumption or distribution. Supply chains are necessary to allow entities to function efficiently and meet their customers’ demands – hence the effective management of a supply chain is important to all organisations.

The purpose of this whitepaper is to inform discussion around the effective management of risk within the supply chain, and to provide examples of risk mitigation strategies which should assist organisations in managing this type of risk. It is not intended to be a detailed review of supply chain risk management, but rather an introduction to the concept and consideration of the many facets that must be managed effectively should an organisation want to ensure a sustainable and ethical supply chain.

One of the key drivers of this whitepaper was the recognition that every organisation is exposed to risk in its supply chain – whether it operates in the private, public or not-for-profit sector. Another key driver is the increased globalisation of the market which has resulted in almost every organisation interacting with a foreign entity in its supply chain – often without being aware that they are engaging with foreign companies, or even in some instances, who they are actually procuring goods and services from.

The risks associated with managing a supply chain are many and varied, and include:

• Continuity of supply – ensuring that sufficient goods and services are available to allow an organisation to operate or fulfil client requirements;

• Regulatory – including breaches of bribery and corruption legislation, Competition and Consumer Act 2010 and relevant environmental laws;

• Legal – such as breaches of contract, rights to audit and jurisdictions; and • Quality – particularly the supply of goods and services which are not fit for purpose.

It is hoped that this whitepaper will allow risk managers to develop a deeper understanding of supply chain risk management and allow them to engage in meaningful dialogue with management on this important topic. We also hope that organisations that have little or no understanding of the risks in their supply chain will now have a paper that will assist them to build capability in this area.

CHAPTER TWO – UNDERSTANDING YOUR SUPPLY CHAIN

Cranfield University defined supply chain risk management as “the identification and management of risks within the supply chain and risks external to a co-ordinated approach amongst supply chain members to reduce supply chain vulnerability as a whole” (Supply Chain Vulnerability Report, January 2002).

One of the first risks faced by organisations with respect to effectively managing their supply chain is failure to undertake sufficient due diligence on companies before appointing them as a supplier. In many instances, organisations focus on the financial state of a potential supplier with due diligence largely consisting of suppliers having to prove their financial position to potential clients. Whilst this is important, there are a range of other enquiries which should be conducted as part of the due diligence process. These include:

• Establishing beneficial ownership of the company – are the directors and/or shareholders linked to organised crime, government officials etc.?

• Identifying any previous experience in supplying similar services – can it handle the volume of work, have there been issues in the past with disruption etc.?

• Understanding whether the company has been involved in any regulatory issues – such as environmental, bribery and corruption etc.

The lack of visibility over the supply chain also continues to be an issue, with many organisations lacking the ability for organisational wide reporting of supply chain incidents. Indeed, it has been found that less than 30% of organisations report supply chain incidents across their whole enterprise (Fig 1: BCI Supply Chain Resilience Report, 2015) – meaning that almost three-quarters of firms do not have full visibility of the risks within their supply chain. Additionally, this research identified that more than a third of these organisations make no effort to report incidents at all.

Figure 1: Level of incident reporting

The most common reasons for the failure to report supply chain incidents include:

• The existence of silos within organisations which impede reporting; and • A lack of priority given to supply chain risk management by senior management.

These reasons highlight the need for leadership to get involved in the management of risk across the organisation’s supply chain; driving changes that improve the visibility across the supply chain and incidents affecting suppliers of the organisation. The complex nature of supply chain networks within many organisations is evidenced by the growing number of key suppliers that organisations deal with who should be effectively managed as part of an organisation’s business activities. Despite this, disruptions continue to occur at lower level suppliers. It is therefore important for organisations to focus on reporting disruption within the supply chain on an organisation wide basis and develop an increased visibility over suppliers (Fig 2: BCI Supply Chain Resilience Report, 2015).

Figure 2: Tier level where incidents occur

There are a number of sources and origins of supply chain disruption for organisations with external inbound supply chains. For organisations that do not have a process to report these types of incidents, many will never know where their disruptions originate from. This further demonstrates the vulnerability of organisations which are closely linked to their supply chain networks, with the lack of knowledge regarding sources of disruption proven to be a possible point of failure in organisations adversely impacted by supplier failures.

A key risk control for an organisation is to close gaps in its supply chain by engaging closely with their suppliers to obtain a better understanding of the controls suppliers have in place to prevent disruption. Organisations should also ensure they maintain a robust assurance program to confirm these controls are effective. This includes ensuring each suppliers Business Continuity arrangements are sufficient to respond to any disruptions if that risk eventuates. Accordingly, business continuity must be part of the conversation between organisations and their suppliers from tender onwards.

Supply chains plays an integral role in an organisation’s overall resilience. A range of key themes that organisations should be aware of include:

• The reliance on technology in managing complex, global supply chains can influence an organisation’s overall risk profile;

• Implementing supply chain business continuity enables good practice and creates a positive cycle of behaviours leading to greater resilience;

• Leadership plays a key role in ensuring supply chain resilience by embracing and supporting good risk management; and

• A lack of visibility over the supply chain remains one of the biggest challenges to an organisation’s resilience.

Globalisation has created more complex supply chain networks with greater risks. It is crucial that the vulnerabilities of an organisation’s supply chain network are examined to identify inherent risks and weaknesses. In turn, appropriate mitigation strategies and corrective action plans must be implemented to manage risk in the supply chain.

Effective management of supply chain risks requires every employee involved with supply chain management managing threats and risks arising from weaknesses in the supply chain. Employees at all levels must continually identify and manage risks in their area of responsibility. For example, senior management should be concerned with strategic risks around the supply chain, whilst staff involved in procurement should focus on tactical issues.

Key areas of risks to consider include:

• Routine supply chain risks - such as unexpected transit delays, changes in customer orders, problems with suppliers.

• Natural disasters - although unpredictable, effective organisations anticipate disruptions and develop contingency plans accordingly.

• Political/civil unrest - whilst not a major concern, it should be considered, particularly in the context of the countries where the relevant supplier resides.

• Laws and regulations – including the unexpected application of regulations in a particular country or changes to relevant regulations.

• Terrorism - although quite rare, acts of terrorism often result in additional costs to the supply chain from increased security and other requirements.

• Technology – the possible failure to implement supply chain technology.

The challenge for any organisation is to recognise the full scope of the supply chain network and the vulnerabilities they face in that network while mitigating and managing those risks effectively. Vulnerabilities can only be managed if the organisation and network have the necessary supply chain capabilities and capacity to do so. This requires more than what a good enterprise resource planning system or strong processes can deliver – it must be driven by the competencies of the people involved.

Loss of a supplier is a major risk to organisations that will increase with the current outsourcing trend. For larger organisations, staff responsible for organisational risk and business continuity can play vital roles in reducing supply chain risk by:

• Assisting procurement select critical suppliers using a risk based approach; • Educating operational staff on the importance of suppliers; and • Helping improve the organisation’s business continuity response capabilities.

It is vital for organisations to be aware of the vulnerabilities in their supply chains, including the sources of risk and how each risk can be managed to increase control and confidence in the supply chain.

CHAPTER THREE – UNDERTAKING A RISK ASSESSMENT OF YOUR SUPPLY CHAIN

Effective supply-chain risk management is essential for any organisation to be successful. It is a skill and capability many organisations have yet to develop. In some organisations, both problems and practices are well defined. In others, problems are defined, but practices are developing. Therefore, it is fair to say supply-chain risk management is an evolving field.

In the current climate the number and type of suppliers outsourcing to large and small organisations is multiplying. The supply of raw materials, manufacturing and warehousing have in many organisations been outsourced for some time. Now functions that were traditionally kept in house - such as finance, procurement, internal audit, HR and OH&S - are also being outsourced. In reality, any part of an organisation can be outsourced.

Suppliers are often more susceptible to incidents than the organisations they supply. Being small or lean, operating on small margins, providing a just in time service and/or supplying a single product amplifies the impact of disruption on the supplier.

Threats to the supply chain are many and can vary from a natural disaster, political instability or getting caught up in another organisation’s dispute. An organisation needs to know where their suppliers are located, what sort of events they are susceptible to and be aware of any event/s that could affect their supply chain. These risks have been considered in the previous chapter.

An effective strategy for dealing with supply chain issues requires risk or business continuity managers educating procurement workers on how to make risk aware purchasing decisions. This education process includes ensuring knowledge of which critical suppliers are critical to the organisation – particularly with respect to continuity of supply. Procurement should be made aware of the consequences losing suppliers have on a business so they can weigh up commercial or cost considerations when selecting suppliers. In other words, supplier selection should be made not only on commercial grounds (such as cost) but also on the supplier’s resilience to disruption in their operations.

A supplier strategy should also be developed by organisations, detailing a number of buying strategies used to mitigate supplier risk. These include:

• The use of “redundant suppliers” in the event of a major supplier failing; • Contractual obligations, which require suppliers to have a secondary source of material in

the event they suffer an incident impacting their ability to fulfil; and • Penalty clauses, which are enforced when a supplier fails to deliver as per their contract.

In evaluating a potential supplier, procurement should consider:

• The quality of all the suppliers’ products and/or services: not just the one being supplied; • Their history of previous incidents; • “Key person” dependencies; • Financial stability; • Supply capacity; and • Their business continuity planning.

With respect to this final point, staff with business continuity knowledge should support the procurement manager in assessing each supplier’s level of business continuity planning in

regards to its validity and quality. This can in turn help procurement make an informed risk based decision during the vendor selection process.

Once the supplier is on board, the allocated supplier relationship manager should engage operational staff to ensure knowledge of suppliers who are critical to the organisation and the impact any failure by those suppliers would have on the business. In some organisations this is well known but in larger, more complex organisations, the critical role suppliers play is not always appreciated. Fostering a culture of monitoring suppliers should be encouraged so potential failures are detected early.

In order to be effective, monitoring should include:

• The performance and quality of suppliers with any drop in quality investigated, as this may be indicative in the beginning of a major problem.

• Near misses as they may indicate potential major issues, such as OH&S breaches. • Any mention of the supplier in the press or online regarding issues such as scandals,

financial irregularities or pending legal action against the supplier.

One way to track supplier vulnerabilities is through an Enterprise Vulnerability Map to categorise the relative likelihood of potential threats – see the diagram below (Fig 3: Massachusetts Institute of Technology paper, volume 47, 2005).

Figure 3: Vulnerability Map

According to the BCI Supply Chain Resilience Report, 2015 the top 3 causes of disruption are:

• Unplanned IT and telecommunications outages; • Cyber-attack and data breach; and • Adverse weather.

There have been a number of incidents around the world that demonstrate the impact of supplier failure on organisations:

1. The reliance on technology to aid complex supply chain networks effectively produced a single point of failure impacting many organisations in the case of the Chennai floods that occurred in December 2015.

2. The impact of civil unrest/conflict was highlighted during the violence that occurred around the Cauvery River, Bangalore in September 2016.

3. The effect of environmental incidents and animal disease like the Hendra virus which crippled the Queensland racing industry in July 2008.

Common consequences of supply chain disruption include a loss in productivity; an increase in customer complaints; increased labour costs to remediate issues; damage to brand/reputation and an impact on cash flow. Many of these consequences manifested themselves during the Nanna's frozen mixed berries case involving potential hepatitis A contamination in February 2015. The frozen berries incident and the cases mentioned above show that organisations may be held responsible for incidents caused by suppliers and not the organisation itself – outsourcing key functions does not mean the organisation is immune to reputation damage as a result of actions by third party suppliers.

Although supply chain may not be at the top of the agenda for most organisations, it must be a consideration since the loss of a supplier can impact any organisation. It is critical that risk managers revisit their organisation’s suppliers and ensure suitable risk mitigation measures are in place to protect against adverse incidents impacting these companies.

Staff involved in procurement, risk and business continuity must be actively engaged in identifying supply chain vulnerabilities to effectively manage the associated risks. Once identified, these risks can be managed using a variety of tools and techniques. Some of these include:

• Implementing a “lessons learnt” program, drawing on data relating to previous experiences from an organisation’s internal change process map or risk register;

• Developing a close knowledge and understanding of markets and suppliers to enable a simple, proactive management approach to increasing awareness of emerging issues;

• Managing the entire supply chain - both upstream and downstream - to reduce vulnerabilities;

• Ensuring that procurement staff are evaluated by a range of measures, including their ability to assess and manage supply chain vulnerabilities effectively;

• Developing a supply chain strategy that supports the organisation’s goals and is responsive to customer requirements;

• Ensuring that the organisation’s internal risk management policy and framework is followed;

• Having appropriate supply chain controls in place with the ability to respond to disruptions as and when they occur;

• Using an auditable risk management software program to manage the entire process.

As with any aspect of risk, there are four key processes necessary for the effective management supply chain risk:

1. Risk identification – understanding where the risks are; 2. Risk assessment – deciding on how critical they are to the ongoing operations of

the organisation; 3. Risk treatment – developing strategies to manage the risks; and 4. Risk monitoring – allowing organisations to understand changes in their supply

chain and anticipate potential issues before they become problems.

CHAPTER FOUR – KEY LEGAL ISSUES AROUND SUPPLY CHAINS

All organisations rely on a complex set of relationships to operate – relationships with their customers, regulators, employees, boards and shareholders. The relationship between an organisation and its suppliers is critical to ensure that the organisation can fulfil its obligations to its customers and key stakeholders.

In 2012, Autodom – a company that made car parts for Toyota, Holden and Ford – collapsed and threatened the ability of Holden and Ford to continue the production of cars in Australia. Indeed, both companies believed that if Autodom ceased trading, they could be forced to shut down production for 18 months. As a result, Holden and Ford provided $6.5m of financing to keep the business going in an effort to avoid halting production at their own plants. This real-world example of managing risk in the supply chain highlights the potential vulnerabilities that large companies can experience if a small cog in the supply chain fails.

The example above is also a good introduction to the legal complexities that can impact an organisation’s supply chain. For instance, if a company secures a large contract to supply a major store/chain of stores, it is highly likely that the contract will include a range of legal requirements around areas such as continuity of supply; minimum standard of production; and being “fit for purpose (a point also covered by Schedule 2 of the Competition and Consumer Act 2010).

If a key supplier to that company fails (as in the situation with Autodom above) then the company may find itself in breach of key covenant/s of its contract with this major corporation. This could result in a range of penalties, including liquidated damages and termination of the contract.

It is therefore crucial that organisations develop a close relationship with their legal providers – either internal or external – to ensure these lawyers have a sound understanding of the risks present in any legal agreement, particularly where the actions of a third party (such as a supplier) have the potential to adversely impact the organisation itself. Lawyers need to be aware of pertinent issues such as:

• How reliant an organisation is on a particular third party with regards to its ability to meet the requirements of the contract?

• Has the organisation had a long term relationship with the third party/s that demonstrates they have the ability to meet the organisation’s requirements?

• Have there been incidents in the past where the third party has failed to fulfil its obligations to the organisation – including cases of industrial unrest/work stoppages, natural or other disasters etc.?

• Does the organisation have redundant suppliers in the event that a main supplier is unable to fulfil its requirements?

• Where the third party/s located and what jurisdictions do they operate in globally?

The last point raises a number of issues from a legal perspective. Firstly, in the global marketplace that most organisations operate in, it is highly probable that an organisation may engage with a third party based overseas with no operational presence in Australia. This begs the question – what is the value in having that third party enter into a contract that is governed by the laws of Australia or a particular state in Australia? How can an

organisation enforce a contract with a third party that is domiciled overseas and not subject to the jurisdiction of the Australian legal system?

This white paper does not recommend organisations cease third party contracts overseas – it merely highlights the difficulties enforcing a contract with suppliers outside Australia. Similarly, an organisation must consider the practical elements of contractual rights, including the “right to audit” the books and records of a third party.

This is a key risk mitigation strategy that all organisations should consider when framing contracts. However, it is also important to bear in mind practicalities such as:

• Where the supplier is located and what costs are associated with travelling there to undertake an audit?

• What language do they speak and does the organisation have any employees who speak the same language and can participate in any audit that may be conducted?

• Are there any cultural challenges which impact the ability of an organisation to audit a supplier – such as whether women are allowed to directly address men, religious festivals etc.?

• Are the accounting requirements in their country of residence the same as Australia or are they different, requiring local knowledge to interpret financial documents?

• What actions will the organisation take against any supplier who breaches any part of the contract – particularly if they are a key component of the organisation’s supply chain?

There are a variety of other legal considerations to consider (such as bribery and corruption, regulatory compliance, Occupational Health and Safety etc.) and this paper does not set out to address each of these issues. What is important however is that all organisations have a detailed understanding of the various legal and regulatory risks that are present in its supply chain and that they have a range of legal and other strategies in place to mitigate those risks accordingly.

CHAPTER FIVE – MANAGING YOUR SUPPLY CHAIN

There are a variety of tools and strategies that can be used by organisations to manage their supply chain. This chapter seeks to discuss a number of these strategies with a view of allowing organisations to consider them in context of their risk management framework.

Chapter Two discussed the strategy of undertaking detailed due diligence on suppliers before they are engaged by organisations. However, it is important to remember that even if suppliers pass the due diligence process, an organisation should ensure it has a plan to manage suppliers on an ongoing basis. One strategy which is particularly effective is the use of site visits.

A site visit involves the organisation arranging for an employee or external consultant to attend the premises of a supplier to verify a range of key areas, such as:

• Reviewing the suppliers’ processes to ensure product or service quality and safety; • Establishing whether appropriate policies, procedures and processes are in place –

such as those relating to security, privacy and confidentiality - and, if not, collaborate with the supplier to develop them;

• Reviewing the work conditions and wages paid to staff, and ensuring that there is no child labour and all employees are there of their own free will - not grossly underpaid (often referred to as “slave labour” and covered by legislation such as the Modern Slavery Act 2015 which became law in the UK on March 2015);

• Considering any potential environmental impact of the supplier’s business – such as air/water pollution, deforestation etc.; and

• Auditing suppliers’ financial records to determine whether they are in line with what was presented during any engagement process and/or whether there is any evidence of financial difficulty which may impact their ability to operate.

Obviously, conducting site visits – particularly at premises that are outside of Australia – poses a number of challenges to organisations, including the cost and time to conduct the site visits; language and cultural differences; differences in regulatory regimes.

There are also a range of tools which can be utilised to manage supply chain risk. These include:

• Audits - The challenges of auditing foreign companies has been addressed in the previous chapter. However, conducting regular audits of suppliers is a key component of a robust risk management framework and allows organisations to uncover any issues before they become significant problems for the organisation.

• Certification - Another tool to consider is the introduction of regular certifications for all suppliers in relation to bribery, corruption and other risks such as child exploitation, poor environment practices and potential breaches of legislation and/or regulations. Many organisations believe that external certifications provide peace of mind and allows them to demonstrate a proactive approach to risk management for interested stakeholders including shareholders, analysts and regulators.

• Training - In addition to these tools, organisations should also consider rolling out training to suppliers and their own staff. Keeping issues such as bribery and

corruption top of mind can assist organisations in reducing the risk of its suppliers engaging in conduct that may negatively impact the brand of the organisation.

Perhaps one of the greatest advances in managing supply chain risk in recent years has come in the form of technology that has been developed to assist organisations in managing supply chain risk. There are a variety of vendors in the market who offer a range of software solutions designed to allow organisations to take a systematic and auditable approach to managing supply chain risk.

When considering or evaluating a platform to be used in managing supply chain risk, it is essential that organisations consider the following:

• When managing vendor compliance, it is critical organisations use an auditable system, as managing compliance in a spreadsheet is a risk in itself. Spreadsheets can be easily lost or misplaced and there is no historical audit trail that can be referenced.

• When selecting a vendor compliance tool, it is important to consider its ease of use, as many organisations will have possibly thousands of suppliers logging in relatively infrequently. As such, the user experience needs to be clear, easy and if the organisation has a global supply chain, translatable into other languages to ensure relevant suppliers participate.

A robust platform should also be able to offer a variety of additional functionality, including:

Conflict of Interest Register

Vendors, contractors or third party brokers can ‘self register’ into an organisation’s Conflict of Interest register to ensure the supply chain is in line with internal policy of the organisation.

Control Self Assessment

Control self assessment surveys are an effective way to enable the supply chain to attest to supplier controls that are in place. For instance, do they always submit their invoice with a purchase order? Are suppliers paid within the time specified on their contracts?

Vendor Portal

A vendor portal is a ‘one stop shop’ for suppliers and contractors to submit banking, compliance, insurance and other certifications to an organisation. Suppliers can self register, be approved by the organisation’s contract team and most importantly receive alerts when their insurances and certifications expire. Having this information in a platform versus a spreadsheet enables an organisation report on all suppliers on a granular basis.

Cyber Risk Survey

When procuring software or IT services, deploying a cyber risk survey to both potential and current vendors is an easy way to ensure suppliers comply with an organisation’s IT security standards. Surveys can be automatically scheduled to be sent to new suppliers, as well as existing suppliers on a regular basis.

CHAPTER SIX – CONCLUSION

This whitepaper highlights the risks associated with managing a supply chain and sets out potential strategies and tools organisations can use when developing a supply chain risk management framework. The risks identified and the strategies suggested are by no means exhaustive, and there is a plethora of literature and reference sites that organisations should consider in this regard.

However, we believe this whitepaper addresses some of the key risks organisations should be managing including trends and developments in supply chain risk management, such as:

• The risks posed by operating in a global marketplace – particularly with respect to foreign suppliers;

• Developments in legislation such as the UK Modern Slavery Act and Foreign Corrupt Practices Act;

• The difficulties in enforcing contracts with foreign entities; • Engaging with lawyers to consider the variety of legal-related risks that are present in

the supply chain; and • The rise of automated platforms designed to allow organisations to better manage

suppliers and related risks such as conflicts of interest and compliance.

Business continuity and risk management appear to be fairly well understood and applied within individual organisations. However, in many cases, the same is not true in terms of managing risk in the supply chain.

Therefore, organisations should consider the following when building out their supply chain risk management framework:

1. There needs to be organisation wide awareness of supply chain risks, which can be developed when an organisation recognises that it is exposed to risk of supply chain disruptions and realises the potentially serious consequences of such disruptions.

2. The focus should be on reducing the likelihood of a supply chain related event occurring that can impact the organisation and in minimising any impact on the organisation from these types of events.

3. Business continuity arrangements should be in place to allow an organisation to ensure it can supply products and services at acceptable predefined levels following a disruptive incident in order to minimise the impact to customers and the organisation.

4. Organisations should have appropriate systems and processes to handle the management of all aspects of supply chain risks.

It is critical to remember when the supply chain gets ‘broken’ it is often the organisation’s brand that will be impacted, not the supplier/s. Therefore, supply chain risk management plays a key role in ensuring the sustainability of any organisation and must be dealt with appropriately across the entire organisation.

Brought to you by

IntelligenceBank GRC

NAB

PKF