Vendor risk management is a key function of Procurement and Supply Chain. Some companies have dedicated teams to track and manage vendor risk.
A official definition is that "It is implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity".
Potential benefits of Proactive Risk management is
Avoiding supply chain disruptions.
Protection of price margins, by avoiding surprise price increase.
Increased customer and stakeholder satisfaction
Better vendor relationships.
Now, whether Procurement should track vendor risk or there should be separate Vendor Management Office managing that, is a topic for another day. If you are getting started with risk management practice, then follow these four steps to organize the risk management process
Define Vendor Risk Categories
Identify key Suppliers
Process to track Vendor Risk
Risk Mitigation Strategy
Let’s look at each one of them
1. Define Vendor Risk Categories
All risks are not equal, what is important to your supply chain might be very different as compared to another company in another industry. Start with identifying what risk categories are important for your business . Here are some example of vendor risk categories
Delivery Risk: This is a measure of whether the supplier is at risk of not able to supply good or services. Some of the key drivers for tracking risk in this category are
Supply chain disruptions due to manmade events.
Politically unstable environment.
Capacity and demand mismatch
Financial Risk: As the name suggests, this is a measure of vendor’s financial stability and its ability to stay solvent. Some of the key drivers for tracking risk in this category are
Unstable economic environment
Events like 2008 Financial disaster
Low cash reserves and bankruptcy
Reputation Risk: This is measure of risk to the reputation of the company. Some of the key drivers for tracking risk in this category are
Bad working conditions in developing countries.
Suicides by workers, for example Apple and Foxconn.
Quality Risk: This is a measure of product or service quality risk.Some of the key drivers for tracking risk in this category are
Lack of quality standards.
Use of low quality raw materials.
Limited visibility into your supply chain, for example horse meat issue.
Use the above parameters to come up with a balanced scorecard. You can have a generic scorecard or you can create category specific scorecards to meet the requirements for that category.
2. Identify Key Suppliers
Does it make sense to track risk for all suppliers? probably not and there is a diminishing returns with the increased number anyways. So the second step is to identify the key suppliers for which you want to track risk.
There are lot of supplier segmentations approach. If you have one, that’s great. if not, here is a simple approach to identify key suppliers for which you should be tracking supplier risk.
All Suppliers who are single source suppliers.
Suppliers who are critical part of your supply chain and cause disruption.
Supplier for categories which are high demand and low in supply.
Suppliers with high spend.
Supplier who have proprietary technologies
Above are some of the examples, but you get the idea.
3. Tracking Supplier Risk
When it comes to tracking risk, you need to clearly define the following
What risk you are tracking.
How are you going to gather the data.
Tracking Risk: Once you have identified the risk categories, break it down into specific measures or Key Performance indicators. Some examples
Key financials ratios like leverage
EBIDTA (Earnings Before Interest, Depreciation, Taxes and Amortization)
On time delivery
Location of the Supplier
PPM (Parts Per Million)
Number of orders rejected in the last 12 months.
Compliance to policies and control enforcement.
This is not a comprehensive list by any means, but some ideas on how to get started with defining KPI’s.
Once you are done defining the specific KPI’s for various risk categories, Identify and define how you are going to gather data to track vendor risk. Some things to consider
Where the data resides, whether it is in internal systems or third party systems.
How the data will be gathered and aggregated, through manual files or through an automated system. For qualitative data, you might need to gather data via surveys.
How often you plan to gather this data? For example, Financial ratios doesn't change everyday but delivery day might change based on the orders.
4. Risk Mitigation Strategy
The fourth and last step in you Vendor Risk management strategy is to define a risk mitigation plan. Some risks have high probability and some have low probability, that could be used for prioritizing risks for defining a mitigation plan.
For example, for delivery risk, a short term mitigation strategy is to carry additional inventory. Other measures could include frequent site visits to ensure better quality.
When it comes to investments in Vendor risk management, try to find a right balance of risk and reward.