Once upon a time in the not too distant past, the extent of most organizations supplier risk monitoring was to run periodic credit reports on their largest suppliers. If Financial Health is the only supplier risk factor you are monitoring, you will be exposed to a number of dangers for which you would be unprepared.
How important are these risk factors? The identification, measurement and monitoring of these supplier risk factors is mandated by governments and regulators around the world for businesses in the financial services industry. Companies across all industries should by monitoring and managing these risks for their most strategic suppliers through the sourcing and contracting process, and post-sourcing governance programs:
1. Geopolitical / Country Risk
Geopolitical risk occurs when events occur within a country or region which impact the ability of your supplier to provide the contracted goods or services in the agreed timeframe or to agreed quality levels. Examples of geopolitical risk include:
- An act of terror grounds the local transportation system in a particular city, and as a result employees of your supplier are unable to get to work.
- In retaliation to a trade policy enacted by your local government, the government of a country in which you source a number of goods or services institutes an export tax which increases the costs to you of any purchases made in that country.
- A weather event or natural disaster takes down the electricity grid for a prolonged period of time, closing down the office or manufacturing plant of your suppliers in that area.
- Local union members blockade all ports and airports in response to government policy proposals, severely impacting your ability to transport goods from that country and leading to parts shortages.
2. Concentration Risk
Concentration risk exists when you have a lack of diversification across your supply base. A lack of diversification can occur in many scenarios – from the sole sourcing of critical components to a single supplier to the outsourcing of business processes to multiple suppliers all located in the same City. Examples of concentration risk include:
- The sourcing of a business critical good or service to a single supplier, where alternate sources of supply exist.
- The sourcing of a number of critical or non-critical goods or services to a single supplier, leading to an over dependance on that supplier.
- You may source goods and services to a range of suppliers to diversify risk, but those suppliers may subcontract parts of the work to the same subcontractor, leading to concentration risk with that subcontractor.
- You may source goods or services to a range of suppliers who ultimately manufacture or provide services from the same geographic area (building, city, state, country). This leads to geopolitical concentration risk.
- Your company may represent too great a percentage of the total business for a given supplier, leading to a dependence on you by your supplier. This leads to the stability of the supplier being tied directly to the stability of your company.
Concentration risk often goes undetected, and it is not unusual that a strategy to avoid one kind of concentration risk (for example, the use of multiple suppliers) inadvertently leads to another kind of concentration risk (for example, geographic concentration).
3. Strategic Risk
Strategic risk is the risk that occurs as a result of your poor business decisions. Examples of strategic risk include:
- You source a good or service to a supplier who offered the lowest cost, but that supplier has no experience to providing the good or service that you require. As a result, they are unable to provide the contracted goods or services at the quality required, or require price increases to bring the good or service up to the required standard
- You select a supplier to provide a good or service, and that supplier is experienced at providing the good or service to other clients. However, you do provide any oversight of the engagement, and as a result the supplier provides poor quality goods or services, or is unable to deliver the goods or services in line with previously agreed timelines, impacting your ability to serve your end customer.
4. Reputational Risk
Reputational risk is a risk that occurs when your actions, or those of your supplier, cause negative public opinion. Examples of reputational risk include:
- Your supplier is providing the contracted goods or services at a poor quality, which leads to complaints from your customers.
- Your supplier is using, either directly or through sub contractors, an underage workforce to provide goods or services that are ultimately provided to you. The news media runs a story about this and links the underage workforce to your brand, leading to negative public relations.
5. Compliance Risk
Compliance risk occurs when either you or your service provider do not comply with local laws, of when your service provider does not have adequate controls in place to ensure that their employees comply with internal policies and procedures. Examples of compliance risk include:
- A member of your team in China pay a bribe to a local official to speed up the export process for components being shipped to your US factory.
- To ensure your supplier can provide the contracted services, they build an internal playbook that details the process steps that need to be taken in provision of the service. However, the employees of your service provider have not been adequately trained and therefore are not able to follow the required process steps.
6. Operational Risk
Operational risk occurs when your company does not successfully integrate your processes and policies with those of your supplier, when such an integration is required to enable the supplier to provide the contracted goods or services. For example:
- You have outsourced a portion of your Accounts Payable department to an offsite service provider. In order for your supplier to process invoices for payment, they must receive approval to pay from your company. Unfortunately, your company does not have a formal process by which approval to pay is provided to your service provider. This significantly delays their ability to pay your invoices, and leads to them not being able to meet their contractual service levels.
7. Credit Risk
Credit risk occurs when a supplier is unable to meet the obligations that they are contractually committed to provide. This may be a result of poor financial condition, or because your supplier is unwilling to provide what was contractually agreed to because the cost of providing that good or service is higher than was anticipated. Examples include:
- Your supplier committed to provide goods or services at a price too low, so they cannot make a profit on the business. The supplier did this either due to a mis-calculation on the cost to provide the good or service, or because they agreed to a low price to maintain revenue or a business relationship. This most often occurs when the buyer has significant power in the negotiations and pushes the supplier to agree to a price that is not sustainable.
- Your supplier has agreed to provide goods or services at a price which enables them to make a profit. However, due to poor overall financial health, the supplier makes internal changes to reduce their costs which impacts their ability to provide goods or services at least in line with the contracted minimum quality or service level standards.
8. Financial Risk
Financial risk occurs when your supplier encounters financial difficulties that impact their ability to provide the contracted goods or services. Financial risk includes:
- Your supplier encounters financial difficulties, and as result they replace their employees with lower cost employees, leading to reduction in the quality of the good or service provided.
- Changes in foreign exchange rates lead impact the price that your offshore supplier receives for the good or service that they provide, reducing their profitability, and potentially leading to financial troubles.
- Your supplier enters bankruptcy protection, and a court voids their contract with you. As a result, you must quickly find an alternative source of supply, leading to cost increases and potentially impacting your ability to secure supply.
9. Contractual Risk
Contractual risk occurs when the terms and conditions that govern your relationship with your supplier do not have appropriate controls and protections that ensure you receive the required goods or services at a minimum quality level, and mitigate any risks that may occur as a result of your relationship. Examples of contractual risk include:
- Your supplier is not obligated to provide goods and services to the level that you require because the service level agreements and/or key performance indicators are not adequate; or the contract does not include penalties that incentivize the supplier to provide goods and services at the required level.
- Your contract with your supplier does not stipulate how your data will be protected, and what remedies would be available to you in case of a data breach.
For more information on the US regulatory requirements that dictate how financial services firms should manage these risks, check out the following:
- Office of the Comptroller of the Currency (OCC) Bulletin 2013-29: Third Party Risk Management Guidance
- Federal Deposit Insurance Corporation (FDIC) FIL-44-2008: Guidance for Managing Third Party Risk
- Federal Reserve (FRB) SR 13-19: Guidance on Managing Outsourcing Risk
- Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03: Service Provider Management
Do you agree? What other supplier risk factors should a company be monitoring? Join the conversation in the comments section or on Twitter (@pideson). #procurement