Daily Archives: February 28, 2007

Protiviti: Manage Risk, Reap Reward

Your supply chain will be disrupted. Bet on it. You’ll win. The only two things more absolute in this world are death and taxes. I’ve told you that there is Real Risk in your supply chain. I’ve reviewed the basics of Managing Business Risk. I’ve even went so far as to tell you that Your Supply Chain is NOT Secure. But I still feel that I have not even come close to drilling the point home as to how at risk you are every minute of every hour of every day or how likely it is that your supply chain is going to be disrupted in a big way – and how much this will cost you if you are not prepared.

But that’s a post for another day. Today, I’m going to start helping you identify where you can go to get help, and the first company I’m going to point out to you is Protiviti, specialists in Independent Risk Consulting with an in-house expert group on Supply Chain Risk. Rising from the ashes of the old Arthur Anderson back in 2002 (with a little help from Robert Half International), Protiviti has more than quadrupled in size without diverging from their core practices of internal auditing, technology risk management, and business risk management (where the supply chain group resides).

Recently, I was fortunate enough to be able to talk to one of the leaders of the Supply Chain Risk group at Protiviti and talk about how they help clients identify, mitigate, and manage supply chain risk and I was quite satisfied with what I heard. Rather than trying to sell you a big black binder with an industry standard system generated risk management plan (which is not as useful as you might think since every company is different and has different risks), they instead work with you using a well-defined methodology that they’ve refined over the years to build a complete picture of the risks you face (a risk assessment), the mitigations you have in place or available to you, and a plan for managing those risks going forward. Furthermore, they help you build appropriate cross-functional teams that they work with throughout the process to make sure that when they are done, you understand not only what your risks and mitigations are, but how they were derived and how you carry the process forward.

The first thing they do, and you must commit to this for the process to work, is a risk assessment that evaluates your overall operations, supporting supply chain, regulatory environment, and organizational goals to help them build a risk profile that helps you understand where your risks are, the probability of them happening, and the dampening effect of any mitigations you currently have in place. They then categorize the risk universe into meaningful groupings, such as operations, supply base, distribution chain, and regulatory environment, that can be addressed and evaluated from a similar functional perspective. Then, working with your cross-functional teams, they help you qualify the probabilities, potential impacts, and mitigations that you can use to address them, including controls and monitors that you already have in place today. They then help you refine any identified and approved mitigations into processes and procedures that you can use to detect and manage a risk. After all, risk management is not a one-time project, but a continual process. However, you have to start somewhere, and a project focussed on supply risk is a great place to start.

They also assist you in putting in place critical and sustainable/repeatable risk management capabilities including, but not limited to, strategies, policies, processes, organizational accountabilities, information for decision-making, continuous identification, monitoring and control, tools and methodologies, and base data integrity procedures.

However, what I really liked hearing was that Supplier Relationship Management (SRM), Contract Lifecycle Management (CLM), and Compliance Management (CM) best practices done right were really risk management processes. SRM is not about managing your supplier, it’s about managing the risk associated with a supplier not performing. CLM is not about keeping track of a contract over it’s lifetime, but about making sure the critical terms of the contract, designed to mitigate your risk, are adhered to. CM is not about making sure your purchasers don’t go rogue, it’s about managing maverick spend to non-approved suppliers that increases your risk. After all, the key to long-term sustained financial performance is not cost savings – you’re always going to have to spend money – it’s cost avoidance – making sure you don’t spend any more than you have to. I know a lot of executives, and CFO’s in particular, these days only care about cost savings, but they’re just a bunch of short-sighted nitwits who need a good smack up-side the head. After all, there’s a limit to how much you can save! Once you’re performing at the best-in-class level, sourcing every category at market value, and optimally allocating the award so as to minimize your Total Value Management (TVM) lifecycle cost (or Total Cost of Ownership on steroid cost) – there’s nothing left to save – the best you can do in such a situation, should you be enlightened enough to reach it, is to avoid unnecessary spending. You avoid unnecessary spending by making sure everything goes according to plan. You do that by managing risk.

Another tidbit worth repeating is that they are currently working with Michigan State University(and AMR) on a new certification program for C-level executives in value chain risk management to help them understand, and proactively manage, risk. After all, considering one supply chain disruption can wipe out all of your strategically sourced savings, it’s critical that not only you, but your financial decision makers, understand this and allow you to invest in the methodologies and tools you need to make sure that if something really bad happens (your primary contract manufacturer’s plant goes up in smoke, for example), you know about it in time to do something about it (such as immediately route all your orders to your secondary manufacturer) before your supply chain shuts down, and you lose millions of dollars in sales.

So when you embark on your next risk management planning effort, be sure to put Protiviti on your list of potential vendors. (The reality is that such an effort is something you should never embark upon entirely in house – you’ll never see all of your own weaknesses.)