4 Steps To Effective Vendor Risk Management


Vendor risk management is a key function of Procurement and Supply Chain. Some companies have dedicated teams to track and manage vendor risk.

A official definition is that  "It is  implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity".

Potential benefits of Proactive Risk management is

  • Avoiding supply chain disruptions.

  • Protection of price margins, by avoiding surprise price increase.

  • Increased customer and stakeholder satisfaction

  • Better vendor relationships.

Now, whether Procurement should track vendor risk or there should be separate Vendor Management Office managing that, is a topic for another day. If you are getting started with risk management practice, then follow these four steps to organize the risk management process

  1. Define Vendor Risk Categories

  2. Identify key Suppliers

  3. Process to track Vendor Risk

  4. Risk Mitigation Strategy

Let’s look at each one of them

1. Define Vendor Risk Categories

All risks are not equal, what is important to your supply chain might be very different as compared to another company in another industry. Start with identifying what risk categories are important for your business . Here are some example of vendor risk categories

Delivery Risk: This is a measure of whether the supplier is at risk of not able to supply good or services. Some of the key drivers for tracking risk in this category are

  • Late deliveries

  • Natural disasters

  • Supply chain disruptions due to manmade events.

  • Politically unstable environment.

  • Capacity and demand mismatch

Financial Risk: As the name suggests, this is a measure of vendor’s financial stability and its ability to stay solvent. Some of the key drivers for tracking risk in this category are

  • Unstable economic environment

  • Events like 2008 Financial disaster

  • Low cash reserves and bankruptcy

Reputation Risk: This is measure of risk to the reputation of the company. Some of the key drivers for tracking risk in this category are

  • Bad working conditions in developing countries.

  • Suicides by workers, for example Apple and Foxconn.

  • Child labor

Quality Risk: This is a measure of product or service quality risk.Some of the key drivers for tracking risk in this category are

  • Lack of quality standards.

  • Use of low quality raw materials.

  • Limited visibility into your supply chain, for example horse meat issue.

Use the above parameters to come up with a balanced scorecard. You can have a generic scorecard or you can create category specific scorecards to meet the requirements for that category.

2. Identify Key Suppliers


Does it make sense to track risk for all suppliers? probably not and there is a diminishing returns with the increased number anyways. So the second step is to identify the key suppliers for which you want to track risk.

There are lot of supplier segmentations approach. If you have one, that’s great. if not, here is a simple approach to identify key suppliers for which you should be tracking supplier risk.

  • All Suppliers who are single source suppliers.

  • Suppliers who are critical part of your supply chain and cause disruption.

  • Supplier for categories which are high demand and low in supply.

  • Suppliers with high spend.

  • Supplier who have proprietary technologies

Above are some of the examples, but you get the idea.

3. Tracking Supplier Risk

When it comes to tracking risk, you need to clearly define the following

  • What risk you are tracking.

  • How are you going to gather the data.

Tracking Risk: Once you have identified the risk categories, break it down into specific measures or Key Performance indicators. Some examples

  • Financial Risk

    • Payment history

    • Key financials ratios like leverage

    • EBIDTA (Earnings Before Interest, Depreciation, Taxes and Amortization)

  • Delivery Risk

    • On time delivery

    • Complete order

    • Location of the Supplier

  • Quality Risk

    • PPM (Parts Per Million)

    • Number of orders rejected in the last 12 months.

  • Reputation Risk

    • Labor policies

    • Compliance to policies and control enforcement.

This is not a comprehensive list by any means, but some ideas on how to get started with defining KPI’s.

Once you are done defining the specific KPI’s for various risk categories, Identify and define how you are going to gather data to track vendor risk. Some things to consider

  • Where the data resides, whether it is in internal systems or third party systems.

  • How the data will be gathered and aggregated, through manual files or through an automated system. For qualitative data, you might need to gather data via surveys.

  • How often you plan to gather this data? For example, Financial ratios doesn't change everyday but delivery day might change based on the orders.

4. Risk Mitigation Strategy

The fourth and last step in you Vendor Risk management strategy is to define a risk mitigation plan. Some risks have high probability and some have low probability, that could be used for prioritizing risks for defining a mitigation plan.

For example, for delivery risk, a short term mitigation strategy is to carry additional inventory. Other measures could include frequent site visits to ensure better quality.

When it comes to investments in Vendor risk management, try to find a right balance of risk and reward.

For more topics on Vendor risk management, follow the link below
Go to the link You need to Login or Sign up to view this document
Edit | Back