Source-to-Pay+ part 2: End-to-End Risk Management

In Part 1 we noted that Risk Management goes much beyond Supplier Risk, and a primitive Supplier “Risk” Management application (which we prefer to label Supplier Uncertainty Management since it’s not full blown risk management, and there’s uncertainty as to how much it will actually do for you) is only the beginning of what your organization will likely need.

When it comes to risk, there are risks in:

  • your company
  • your suppliers
  • their suppliers
  • third parties you interact with (which may not be [direct] suppliers of goods or services)
  • your carriers
  • your supply chain network (ports, warehouses, [cross]docks, etc.)

These risks can be with

  • your people
  • your board
  • your investors
  • your supplier’s people, board, or investors
  • the materials your suppliers use
  • the locale they operate in
  • the suppliers your suppliers use
  • the locale they operate in
  • the carriers
  • the ports your carriers use
  • the warehouses used for interim storage
  • and any other part of, or player in, the supply chain

And the types of risks are numerous. They include, but are far from limited to:

  • unskilled/uncertified people
  • sanctioned/prohibited individuals and entity
  • restricted / banned materials
  • use of underage / forced / slave labour
  • geo-politics
  • economics / currency fluctuations
  • natural disasters
  • labour unrest / strikes
  • fraud / theft
  • the internet
  • and so on

And you need a very extensive application to identify, analyze, monitor, mitigate, and manage these risks. In fact, you may even need a suite of these applications, especially when you consider that most applications consider risks from the viewpoint of:

  • the company (especially those that offer GRC applications)
  • the supplier / third party (SRM/SUM+ / TPRM)
  • supply chain visibility
  • … w/or in-transport visibility
  • w/or multi-tier (manufacturing chain) visibility
  • cyber monitoring

And such an application will need entity/function specific capabilities as well as generic capabilities. The generic capabilities might include, but not be limited to:

  • data feed/stream integration
  • metric definition
  • trend analysis
  • user defined reports
  • data / trend monitoring
  • (mitigation) plan creation
  • plan management

Risk is broad, and the solution footprint needs to be broad as well. In the next few articles we will tackle some of the major application areas we noted above.