OK, now that I have your attention. Am I being provocative? Yes … and no. If the purpose of supply risk management is to ensure supply that is: available, reliable, high quality, well priced, supporting lowest TCO, ethically sourced, etc. (per the enterprise mission and brand), then we really “just” need to clarify what constitutes the performance of supply and the causal factors which impact it. But, this is a big “just”. It means first translating the performance of supply from the business (i.e., the true ‘risk owners’ who ultimately own the performance of supply) to the inbound supply chain to a commodity to the supplier and even down to the part/spec/site level — and then ensuring that your processes for extended network design, sourcing, and supplier management are addressing the risk factors that can impact that supply performance. That’s a tall order to expect as a bottoms-up outcome.
For example, if you look at a company’s sourcing and supplier management processes, you might find risk-oriented knockout criteria in an RFI. Or you might find a regulatory compliance driven process in supplier measurement. But for the latter example, do you have an explicit risk score in your supplier scorecard? Most organizations don’t. There is a direct analog to the quality area here in terms of placing emphasis on process capability and managing upstream causal factors. A TCO model that includes quality costs (i.e., a ‘cost of quality’ model) is not only similar, but actually overlapping with the ‘cost of risk’. In other words, you can pay for risk prevention now or pay for external failure later.
This is why, although you should theoretically be able to bake your supply risk management processes systematically into your existing supply management processes (sourcing, SPM/SRM, etc.), the fragmented and reward-biased performance measures don’t encourage this end-state approach. This is why a bottoms-up process usually does not work and it requires that Procurement/SCM not only work with the natural risk owners to build the cost/risk models, but also use that to have the top-down discussion with senior management on how the firm wants to deal with it and what is the cost of doing nothing. To quote the rock band Rush: “If you choose not to decide, you still have made a choice“. (Freewill) And for some organizations, they might be able to tie into an existing enterprise risk management and corporate sustainability governance structure.
Another important strategy is to have a good diagnostic, and some external benchmarking intelligence, as part of this process — especially when trying to justify the effort beyond ‘it is the right thing to do’. Showing where you are vs. other firms and how well you/they are performing in supply risk (and comparing that performance to capabilities) is a good way to support the discussion. And so is having a good ‘cost of risk’ model. But quantification is tricky, and that’s why we launched a supply risk study about a month ago that we’re closing down this weekend, that uses this type of model (and other existing benchmark data that we have) to help firms arm themselves with some good insight on elevating the conversation. Why? To get more attention, resources, and proper measures/alignment that cascade back down to get baked into the processes. Once they’re baked in, you won’t need a ‘program’ anymore — you’ll have a proper risk-adjusted process. The corporate practitioner study takes 30-40 minutes or so, but like other Hackett performance studies, it is: complimentary, confidential, credible, and hopefully invaluable.