Categories
BLOG - Risk For Competitive Advantage

Time to move beyond supplier risk?

Time to move beyond supplier risk?

Why are so many organizations “surprised” when they find out that their supply chain had become a victim of the latest disruptive event?   I’m not referring to just those who manufacture the product but rather to all those that depend on it; customers or patients, suppliers & distributors, producers, and yes, even competitors.   Recently, hospitals experienced an IV saline bags shortage and Newell’s  Rubbermaid brand experienced a shortage of resin.

Why the surprised?  After all, haven’t most organizations invested in supplier (3rd party, vendor) risk management programs and technologies.   In my last blog, we even discussed the maturing process of the supplier risk product market.  So why are organizations and customers/patients still experiencing major shortages and supply chain disruptions?

They say a picture is worth many words, so I’ll try to set the stage for the following illustration.

SCM SCOPE

As you can see, the scope of what risk in the supply chain is actually being managed is part of the issue.  The scope narrows further when you consider that only a portion of the suppliers, the ones considered the highest risk to the organization, are actually being actively monitored and managed.  If you rely on property-based supply chain risk assessments than the scope is typically limited to just your property, plant, equipment, and maybe inventory (it may include suppliers and your loss of revenue if you have contingent business or time element coverage – consult your broker).   The business interruption insurance may be limited as well, to a narrow set of events such as fire, rising water, and other similar hazards.

What’s needed?

The scope of what should be considered begins with an understanding of industry economics and your organization’s role in creating value.  It’s important to first understand the broader industry value chain for your “franchise” products.  When a disruptive event occurs this understanding will simplify your understanding of market dynamics amongst buyers (customers, patients, wholesalers), producers, suppliers, and competitors.   How will demand change?  Will you be subject to displacement exposure such as when IV saline bags moved from Puerto Rico to Mexico?  Once you understand the industry value chain and forces you will then need to look to your business units/divisions to uncover the “franchise” products or services and the associated activities that create and deliver value to the market.   I suggest a little bit of research and discussions with executives to identify the “franchise” products or services and the measure to use.   The goal is to reveal whether the economic priorities such as revenue, margin, liquidity/cash, innovation/growth, etc.  At the end of the day, it’s all about profitability but the reality is the organization’s incentives will drive the behaviors.

Now you have the target, i.e. what matters most.  You can then move on to the critical activities that support the “franchise” products or services.  The supply chain encompasses many of these activities but the important element here is to highlight the activities that create your distinguishable or unique value.   By doing so, you establish the operational priority and associated financials.  Eventually this will get you to the allocation but more importantly, this framework provides a holistic view of the most critical supply chains.  Remember – if you’ve seen one supply chain, you’ve seen one supply chain.

You are now ready to map the extended supply chain for what matters most (from an economic perspective).  The mapping should not only look far beyond the 1st tier up and downstream but also should like at critical resources such as labor and skills; technology, processing and data; physical assets; and relationships.    This might sound like a bit of work but remember, this is your franchise and the leaders pay attention to what matters most.  Also, it’s important to do your homework and talk with others in the financial planning, process improvement, risk & insurance management and other areas.  Much of the data and profile most likely exist.

Once you have the map you can then analyze the importance and contribution of the individual node in that particular supply chain, assess and measure the risk, identify mitigation and financing options, model a risk-return on investment, gain support for the investment, deploy the solution, monitor and report on it, drive towards continuous improvement.   That’s a mouth or a mindful so I plan to break down some of these elements in future blogs.  However, you can get a jumpstart by picking up a copy or image of the book, “Single Point of Failure:  The Ten Essential Laws of Supply Chain Risk” or references on my website.

Categories
BLOG - Risk For Competitive Advantage

Vendor (3rd party) Risk: Who will win the platform wars?

Over the past seven years we’ve witnessed extensive growth in the vendor risk management cloud-based solutions market (also commonly referred to supplier and third-party risk).   Two major events in 2011 accelerated market expansion; the Tohoku earthquake and tsunami and Thailand floods.  The market for vendor risk assessment and management solutions shifted from a concept (stuck in the chasm between early adoption and the early majority) to reality as many automotive, electronics and other manufacturers realized the need for greater transparency and monitoring of their upstream supplier network.  Vendor risk management regulation (e.g. HIPAA, OCC 2013-29, MMOG/LE, ISO 9001:2015, IATF 16949:2016) and pressure to comply with more stringent vendor risk assessment requirements by the large hi-tech, automotive, energy, chemical companies requirements led to further market expansion.

The law of physics applies here as well; what goes up must come down or in this case, markets consolidate as solutions become more widely accepted and less unique.  The commoditization phenomenon leads to acquisitions, roll-ups and yes, even the demise of the weak.

What are the implications to your current vendor risk management program?

The big question, which general platform will thrive and which will just survive.   Let’s take a quick look at the market for solutions.  Here’s one way to view the market of direct and indirect solution providers.

  • ERP (Enterprise Resource Planning) and operations platforms that include vendor risk management capabilities as well as APIs to integrate data feeds (e.g vendors such as SAP, Oracle, IBM, QAD).
  • Procurement, Sourcing and Vendor Management platforms that are managed by the CPO and sourcing functions and dedicate entire modules to vendor risk  (e.g. vendors such as Ariba, ProcureWare, Gatekeeper, Ivalua, HICX).
  • Risk Driven GRC, Supply Chain Risk and Data-Risk platforms that are typically managed by sourcing, procurement, enterprise risk management, and/or supply chain risk management functions.  (e.g. vendors such as Resilinc, RiskMethods, Lexis Nexis, D&B, Rapid Ratings, iTrust, Hiperos, Logicgate, Navix, 360 Total Solution, SupplierSelect, Virima)

All provide valuable intelligence to decision makers on how to anticipate and react to vendor risk in the upstream supply chain.  However, the risk driven platforms (GRC, Supply Chain Risk and Data-Risk) platform) market will be the first to see consolidation, acquisition and exiting.  History has demonstrated that risk-based solutions in the technology space ultimately succumb to the OEM providers of performance (firewalls, anti-viral software, desktop and network security hardware/software).   The ability for the risk-based platforms to operate as a stand-alone market for an extended period of time is highly unlikely; market penetration and working capital (or investment) is minuscule in comparison to the activities of the ERP an Procurement platform providers.  All ships rise with tide and eventually, many of the advanced risk monitoring and assessment features will be standard to the broader operational platform offering.

Now is the time to begin assessing how the shift will impact your vendor risk management program.  Questions such as: where is the vendor data maintained and how easily can it be ported or exported to another platform?  Will the same level of risk rigor and associated features be maintained if the risk platform is integrated into and ERP or Procurement platform?  Organizationally, who will be responsible for the conversion, integrity and sustainability of the new/modified solution?  These are just a handful of the many questions that you will need to begin thinking about as the market transforms.

What do you think?  Please comment or send me a note to discuss further.