SMI 07 | Cover Story

Taking
A CRITICAL LOOK IN THE MIRROR

Professional Risk Management

For too long, companies have paid very little attention to risk management. The coronavirus crisis has meant that some of them have been forced to deal with the consequences of this mindset. Let’s take a look at the lessons that companies have had to learn.

In the end, it was a small, yellow digger that freed the 400-meter-long Ever Given, looking like a toy alongside the gigantic tanker. The Ever Given spent six long days blocking the Suez Canal at the end of March this year, bringing the most important sea trade route between Asia and Europe to a standstill. It was carrying goods worth around 2.9 billion euros and more than 450 other ships are thought to have been delayed as a result of the blockage.

Egypt claimed 900 million euros in compensation for lost canal fees, as well as for maintenance costs and the work to free the Ever Given. Many companies waited months for their goods to arrive.

Very few companies were prepared for this scenario, which clearly demonstrates how vulnerable global supply chains with their many branches have become. Although a good risk management system obviously will not prevent this kind of occurrence, it will help identify similar risks at an early stage and give companies the chance to put alternative countermeasures in place.

An effective risk management system is worth its weight in gold

In a situation like that, being able to act quickly is paramount. A proactive risk management department would have been able to immediately identify which goods were affected, the consequences the delay would have for the company, what they still had in stock, which alternative supply routes the company should switch to and which alternative suppliers could help fill the gap.

For a long time, risk management was a very abstract concept that companies hardly cared about. It does not mean avoiding risks completely, as they are an inevitable part of entrepreneurial activity, but it does mean identifying risks at an early stage and being able to react quickly. The term has become significantly more tangible for many companies over the last year. The recent risk management survey conducted by INVERTO indicates that some 42 percent of participants surveyed were affected by unexpected supplier failures in the past six months.

For example, a northern Italian supplier’s pandemic-related closure caused supply bottlenecks and, as a result, production downtimes lasting several days for one chemical manufacturer. The company was forced to source alternative products from other suppliers until their main supplier was back up to speed again. The chemical manufacturer subsequently changed its inventory parameters and also set up a task force, which now monitors similar risks on an ongoing basis and creates emergency plans for important supplier products.

The chemical company is not alone with its problems; there is also great uncertainty in other sectors. For example, most companies currently dependent on wood are accepting horrendous prices to secure their supplies. In the steel sector, there are currently no long-term supply contracts and prices fluctuate widely. And for deliveries by air or sea, even existing price agreements have been revoked. Companies have no choice but to accept the new conditions.

Companies are now more aware of the importance of a good risk management system than ever before. Of the participants in the INVERTO risk management survey, 61 percent indicated that they are systematically identifying their risks – up 23 percent on the previous year. There were 11 percent who did not answer, while 27 percent are only identifying their risks at irregular intervals, if at all. Despite this, almost every company needs to take action. “Systematically” most definitely does not mean the same to everyone and it is high time for the 27 percent who are still failing to identify their risks to address the issue.

Companies are now more aware of the importance of a good risk management system than ever before.

Risk Management Process:

Risk Identification

Identification of all potential events that might not run as planned and have a significant impact on pricing, supply reliability or quality.

Risk Assessment

Assessment of the probability of events occurring and evaluation of their potential impact on the company’s performance. Tests run for emergency situations.

Risk Monitoring

Monitoring all risks and taking appropriate action against any impending deviation from targeted objectives. Setting up a risk control tower in order to be able to act quickly

Risk Management

Implementation of strategies to make risks manageable: Risk prevention, risk taking, risk spreading, risk transfer

Four steps to optimizing risk management

For companies, efficient risk management means taking a good look at their own attitude to risk and making a dispassionate assessment of their position. It all boils down to four steps: first, identifying risks; second, assessing them; third, managing them; and, finally, monitoring them. These steps create a cycle that repeats at regular intervals because risk management is an ongoing process of regularly updating the risk identification and assessment steps.

Procurement is better placed to take on supply chain risks than any other department as it has the most direct contact with suppliers and can therefore spot risks in the supply chain as early as possible. But efficient risk management also involves ensuring the company’s own departments are in close contact with each other: finance, legal, R&D and logistics departments can all help assess the risks. Production can determine how important individual suppliers are for safeguarding supply reliability. For example, in order to manage risk efficiently, procurement must work with the other departments.

Reacting before the traffic light turns red

Spotting potential supplier insolvency at an early stage can save companies a great deal of money and stress. Companies can predict the future if they start early enough and take proactive measures, as demonstrated by an example from a mechanical engineering company.

To the article

Suppliers slipping into insolvency have long been a theoretical risk for many companies. Transparency about these suppliers and early warning systems that raise the alarm when the first problems arise were – and still are – far too rare.

Identifying risks in the most detailed way possible

The first step for identifying the risks a company’s supply chain is exposed to is to gain an overview by analyzing its product groups and suppliers. For example, product groups where there is a high proportion of raw materials or an anticipated shortage of a particular raw material can present a potential risk that needs to be monitored by procurement.

The responsibles for procurement have to be able to distinguish between five different risk types: supply risks, risks of supplier failure, quality risks, price risks and compliance/sustainability risks. Supply risks occur when deliveries are disrupted or delayed; for example, when primary products are not available from upstream suppliers or there are interruptions in the logistics chain. Risks of supplier failure include supplier insolvency and suppliers being threatened by legal or political consequences in the country where they are based.

Quality risks relate to consistent product or service quality, while price risks can be caused by shortened payment terms, exchange rate fluctuations or soaring raw material pricing. Compliance and sustainability risks occur when a supplier breaks the law, flouts environmental requirements or fails to observe social standards. Supply chain laws such as the German Supply Chain Act, which will soon be enforced, will increase these risks for companies, and the need to reduce CO2 emissions in the supply chain – referred to as Scope 3 emissions – thus increasing sustainability risks for many companies.

The greatest challenge lies in creating transparency, which ultimately determines the success of risk management. Therefore, strategic considerations are the focus at the beginning. Procurement must evaluate where and how it can obtain the necessary data. And once transparency has been created, a continuous process must be established to maintain this state in the long term.

Close exchange with suppliers is indispensable during this step. Only through regular discussions, self-disclosure and on-site audits with suppliers can buyers gain a true impression of the supplier’s individual situation. Companies also need to analyze information such as business figures, certificates of compliance with environmental standards, press releases or news reports. In individual cases, it may also be necessary to look at selected production plants of the supplier during an on-site audit. Determining which procedure is appropriate also depends on the relationship with the supplier.

Supply Chain Law

Supply chain traceability is high on the agenda everywhere – be it the Modern Slavery Act in the UK, the Child Labor Due Diligence Law in the Netherlands, the German Supply Chain Act or the Loi de vigilance in France. The goal of all these laws is to track goods that were purchased abroad for any production processes that are environmentally harmful or that breach human rights in any phase of their supply chain.

Most companies worry about their supply reliability

The weighting for individual risk groups will vary from company to company. The risk management survey conducted by INVERTO indicates that most participants are most likely to engage with supply risks, with 79 percent stating that this risk is currently their top priority. The figure was just 57 percent in last year’s survey. Second place on the list goes to supplier failure risks at 56 percent (57 percent last year). Compliance risks are at the bottom of the list, with just 8 percent giving them top priority (down from 25 percent last year).

But is that justified? Quantitative data – such as procurement volumes, shares of raw materials, or sales figures – is a good basis for determining the risk. If a company cannot pass increases in raw materials costs onto their customers, for example, they are at a higher risk. If a company only obtains a specific product from one supplier, then it is exposed to a higher risk of supplier failure or having to accept price increases.

Companies should introduce a standardized evaluation matrix – such as a scoring or ranking procedure – to assess the likelihood of a risk occurring and this will also enable them to compare different risks against each other. One common approach is a point system from 0 to 100 based on a range of quantitative criteria, including regularly measurable delivery delays or price fluctuations. Qualitative criteria can also be incorporated, such as a supplier’s capacity for innovation. This should be assessed through consultations between procurement and the relevant department.

Big data will also become more important in the future: for example, to compare supplier data, individual company requirements and macroeconomic developments, and to assign them a representative overall score. This will then give procurement an increasingly broad basis for decision making – although staff will also have to gain specialist data management skills and have the relevant tools.

Merging different data sources creates transparency
(example of insolvency risk)

“What measures do you use to deal with procurement risks?” (Multiple answers possible)

Standard Regular supplier evaluations

81%

73%

Implementations of dual-sourcing strategies

81%

71%

Long-term framework contracts

72%

78%

Security stocks

43%

Specialized measures Predefined contingencies or emergency plans

34%

22%

Use of a risk early warning system

34%

37%

Hedging strategies

23%

Spend analyses und forecasts for trend identification

17%

Support programs for suppliers

11%

24%

Supplier monitoring (Big Data, AI)

16%

Managing risk to separate the wheat from the chaff

Effective risk management requires concrete action plans. How companies handle a particular risk will depend on the case in question and they will need to find a balance between acceptable effort/expenditure and likelihood of that risk occurring. Market analysis is one option for identifying alternative suppliers and regular inspection of alternative materials can also minimize risks. Companies that have a good relationship with their suppliers could also opt for vendor-managed inventory.

The risk management survey shows that companies currently tend to use standard tools to manage risk, with 81 percent carrying out regular supplier evaluations and the same number implementing dual-sourcing strategies. When it comes to pricing stability, 72 percent use longterm framework contracts, while just 43 percent have reserve stocks to cope with bottlenecks.

Significantly fewer respondents implement the more sophisticated measures; only around 34 percent have pre-prepared emergency plans and the same number utilize an early-warning system for risks. 11 percent also have support programs for suppliers – which really come into their own in crises like the coronavirus pandemic – and just eight percent use big data solutions to monitor their suppliers.

Effective risk management requires concrete action plans.

Even companies that have so far managed without, will no longer be able to avoid the issue of effective monitoring.

Everything converges in risk monitoring

Companies with an efficient risk monitoring system can react quickly and are in the best possible position to act at an early stage. Even companies that have so far managed without, will no longer be able to avoid the issue of effective monitoring with supply chain laws being enforced. A risk monitoring system can only operate properly if procurement maintains a regular dialog with suppliers, so it can reassign risk categories on an ongoing basis and prepare emergency plans.

Risk monitoring brings all the various threads together. Procurement should also share the results with the relevant departments, such as controlling and/or quality assurance. It is crucial that risk management is seen as an ongoing process; results must never simply be filed away in a drawer.

To this end, companies should set up an IT-supported risk control tower that bundles and illustrates all relevant key figures and information. It is important that all relevant departments and the management are connected to this system on a cross-functional basis so that everyone involved has access to the latest information at all times.

Introducing this kind of system on a permanent basis can help create a supply chain that is more stable and resilient in the long-term and to minimize the associated risks. This approach to risk monitoring will also build stronger supplier relationships, as both parties will have a better understanding of each other’s needs.

CONCLUSION

From the Suez Canal and coronavirus to the crisis in the semiconductor market, the current situation very clearly illustrates the value of having an effective risk management system. It is crucial that risk management is recognized as an ongoing process.

In many companies, procurement will have to adopt a significantly more professional approach and take on the role of risk and information manager as well. Companies should also be open to new methods, such as big data solutions.

Implementing an efficient risk management system is a challenging process that involves getting to grips with company risk and requires several different departments to work together. It is essential that companies analyze their supply chains ruthlessly and honestly. On the other hand, once companies have taken the first step towards consistent risk monitoring, the effects can only be positive for them.

Authors

Philipp Mall

is a Managing Director at INVERTO in Cologne. As Head of the Competence Center for Procurement Management, he is an expert in procurement organization and controlling, risk management, and digitalization. He is responsible for the annual risk management survey.

contact@inverto.com

Experts on Risk-Management Tools

Risk-Management-Tools

Supply Chain Laws

Heiko Schwarz, why can it be so dangerous for companies if they fail to maintain a comprehensive overview of their supply chain?

Companies often underestimate the level of interdependency within supply networks. In tier 1, companies are now looking beyond traditional criteria such as financial stability and focusing more on diversification: in other words not just using one supplier or suppliers from the same region. Tier 2 is a different story though. Let’s say that your company buys its ball bearings from three different companies in different regions. You might think that you’ve diversified your risk, but the steps you’ve taken don’t go far enough because all three of your suppliers might buy from the same place. If their supplier is hit by a natural disaster, then your tier 1 diversification measures will not help you.

Why don’t companies have this level of transparency and why do they simply look at their direct suppliers?

Companies have ignored the issue of risk management for a long time now; the most they may have done is running credit checks on their business partners. Only in the last ten to 20 years have there been a few impacts that have triggered a noticeable change of heart – the financial crisis and the Fukushima disaster, to name just two. Since
then, many companies have started looking for ways to protect themselves against risks like these.

But they haven’t really managed it.

It goes without saying that it’s a very challenging process. Companies have to take a lot of risks, and a lot of information sources, into consideration to create a comprehensive picture. Data from credit agencies, insurance databases, media reports, platforms where supplier employees can post complaints – plus the data held by the company itself. As a general rule, the more precise the better. When it involves something like establishing the exact costs of a production failure in the supply chain, then you need complete transparency.

That sounds like an absolute mountain of data! How much actual use is all that data to companies?

Obviously raw data won’t tell you very much. You need software that can analyze this amount of data and use it to set priorities: in other words, to identify which events will have the greatest impact and which are most likely to occur. And that is where we come in. We work with our customers to create a score card in our software that gives a clear breakdown of the risks to which the company is exposed and where. This score card acts as a centralized storage point for all types of risks and for information from external and internal data sources, and it standardizes all this information to produce usable key figures and risk profiles. We also use artificial intelligence and algorithms, which could be another reason why companies haven’t had risk management on their radars before now.

Could you explain that final statement?

The technology that helps to analyze this amount of data and extract the relevant information for each customer hasn’t actually been around that long. Big data analysis has taken a huge leap forward in the last ten years. A company like ours wouldn’t have been possible before that leap as analysis on this scale, with manpower alone, would have been out of the question. Artificial intelligence ensures that the right people receive relevant, credible and up-to-date information at the right time so that they can proactively manage risks across all sectors. The AI algorithms learn which media reports on potential risks have practical relevance for supply networks, for example, and ignore anything that is irrelevant. Earthquakes, for example, can have very different effects depending on the region, industry and – of course – their severity.

What types of risk does the software display to users?

They can define the software to suit their individual requirements, as each industry will focus on different areas of importance. Production downtime is a fundamental risk for industrial companies in particular, but sustainability is also becoming increasingly important. Do my suppliers use child labor? How do they handle production waste? Our software can also take these kinds of factors into account. And the discussion about the German supply chain act means that it is becoming increasingly important topic Europe-wide and elsewhere for many companies.

Identifying risks is one thing, but drawing the correct conclusions is something completely different. Can your software help with this as well?

It can definitely indicate potential actions. If an analysis tells you that an important supplier is based in an earthquake zone, then you can either work with them to reduce their vulnerability or you can prepare emergency plans to deal with supply shortages if an earthquake happens – and, in an extreme case, the only solution may be to bring in additional, alternative sources. The software can present possible courses of action, e.g. by analyzing the extent of the damage or making suggestions, but the final decision about how to approach the situation is always down to the company.

How reliable is your forecasting model when it comes to unprecedented events? After all, these tend to hit supply chains particularly hard: just look at Fukushima, the coronavirus pandemic, the Suez Canal blockage, for example.

We wouldn’t have been able to predict Fukushima as it actually happened, but we were aware that the region was prone to earthquakes and tsunamis. So we would have issued warnings about the risks and potential mitigating measures to companies with important suppliers based in the region. Although we can’t foresee the Suez Canal being blocked up as it was, we can say that bottlenecks or intersections in the supply chain are repeatedly prone to disruption – but the extent of this particular case was definitely not predictable. But what we can do is predict the potential consequences very precisely and present potential courses of action, so that being prepared pays dividends.

And the pandemic?

There will always be unexpected events, things that are impossible to predict. Every model has its limits and I don’t dispute that at all. But these findings will obviously be included in future analyses, so the system will improve continually over time. And when the pandemic started, we were able to warn our customers in plenty of time about developments that would otherwise never have been identified. We work with an agricultural machinery manufacturer, for example, who has an important supplier in northern Italy. When the schools there were shut down, our software identified this as the precursor to a lockdown and notified the company. Our customer reacted immediately – and the supplier’s factories in the area were actually forced to close soon afterwards.

Have the events of the last year also given you a boost?

I’m reluctant to exaggerate things. Yes, the pandemic has helped raise awareness about risk management, but it has been one of the top three priorities in procurement over the years, even before COVID-19, and it’s been moving up the list. In other words, the responsible parties were already aware of the importance of risk management in their supply chain. At the end of the day, taking proactive measures can save them money and protect their reputation. Recent surveys have shown that risk management is the top investment priority for chief procurement officers, alongside digitalization.

Supply chain traceability is high on the agenda everywhere – be it the Modern Slavery Act in the UK, the Child Labor Due Diligence Law in the Netherlands, the German Supply Chain Act or the Loi de vigilance in France. How companies are supposed to implement the requirements still remains a mystery to many.

Supply chain laws have the potential to significantly shake up the European economies. It may mean that companies are more sustainable in what they do, and that suppliers in other countries are mindful of human rights. As criteria such as sustainability and human rights have already been important to both customers and employees for a long time, implementing the relevant measures under a new law could even give companies competitive advantages.

On the other hand, the law may also mean that companies are strangled by red tape and forced to pay expensive penalties, suddenly at a clear competitive disadvantage compared with foreign competitors. The idea is both right and necessary: after all, its intention is to ensure that human rights are respected and to apply appropriate pressure on international suppliers as well. What is often not clear, however, is exactly how companies are supposed to go about this. After all, supply chains are widely ramified, and in the long term, companies should also influence downstream suppliers.

Identifying Actions Early

In most cases, companies must ensure that they implement the relevant specifications within their individual business areas as well as asking the same of their direct suppliers. This means that companies should get involved with indirect suppliers if they become aware that one of these suppliers is not complying with human rights. Creating and maintaining an overview of every direct and indirect supplier will be quite a challenge for companies and many will have to completely rejig their internal processes. But the good news is that it can be done – provided that companies get to work immediately.

Smaller suppliers should also be aware that larger ones will be passing the pressure onto them. If an automotive OEM, for example, has to audit its supply chain for human rights standards and other sustainability criteria, it will make sure that any smaller companies that it works with are also observing those specifications. Therefore,
even though laws in some countries are linked to company size, ideally all companies should be prepared to meet new sustainability and human rights requirements.

Using Effective Risk Management as a Starting Point

Companies should start by taking a look at their existing risk management systems. In some cases, this will involve taking a self-critical stance and deciding whether a structured risk management system is actually in place, or whether the company has simply reacted to previous crises. Major corporations tend to be well organized already, but they should still audit their existing system to identify any areas where expansion might be required.

Procurement is in an ideal position to implement supply chain laws. No other company department has a close enough relationship with suppliers to gain a good overview and identify risks. This means that procurement has even greater responsibilities and is a more important link than ever between company departments and suppliers.

Bringing Suppliers on Board

The next step is for companies to inform their suppliers about the new requirements and then request the necessary data. It might, in many cases, mean that they need to extend their contracts or even to renegotiate them from scratch. Additional audits are therefore unavoidable for companies who have to come up with specific questions to check how far their suppliers are meeting these requirements. Fundamentally, this involves adding qualitative factors to existing audits.

Procurement can then classify suppliers into a range of categories: who is at risk of failing to meet their obligations, who needs to be put under pressure and who would the company prefer to get rid of completely? But convincing suppliers to support the new requirements is where it gets complicated – or even difficult or impossible when it comes to suppliers from Asian countries such as China. At the moment, all we can do is hope that the legislation will recognize that companies do not have greater leverage. Initially, it will be crucial for companies to follow proper processes: announcing new regulations, requesting documentation, conducting extended audits and then reassessing suppliers.

Conclusion: Every Cloud has a Silver Lining

All of these measures involve increased time and effort, of course, so companies should start by focusing on their direct suppliers. When they audit these suppliers, they should also ask them about the situation with their suppliers. If this does not produce any information about potential violations of human rights or flouting of environmental standards, then at the moment companies will not need to do any further investigation. Smaller companies in particular also have the option of working together – for example, sharing information about supplier risks – to share the load. Risk management software can also help to shed light on the darker areas.

Despite all the uncertainty, and criticisms, companies should try and see the opportunities that these laws create: they can actively help to implement global social and environmental standards which will also create economic advantages for them in the long term..