Category Archives: Risk Management

Financial Business Risk Prioritizes Supply Chain Vulnerabilities …

… but it does not identify those vulnerabilities, although it can tell you where to start looking. So while an article in the SCMR last year provided a good overview on how to evaluate, and quantify, supplier risk, the title was misleading when it said they were calculating business risk to identify supply chain vulnerabilities.

The article, which described an approach by the authors to find a way to improve the evaluation of risk impact on a business, culminated in four main findings. The approach, which looked at the total financial impact a supplier failure would have, yielded two findings that we’ve known for over a decade, ever since Resilinc pioneered the approach of assessing the financial risk associated with a supplier failure (based on mapping where all of their parts are used and which of those are single source)

  • procurement spend with a supplier is NOT correlated with the financial risk of a supplier
  • part standardization can increase business risk impact

As well as two insights that are rather new:

  • procurement spend is not correlated with the revenue of the company (the Resilinc model could have shown this, but they did not focus on this or collect those metrics last time SI was made aware of their methodology)
  • true high-risk impact suppliers are a substantially smaller amount of spend than an organization might think; in the authors’ study, they represented only 28% of total spend (whereas most companies will highlight the high spend suppliers as high risk and identify the suppliers that represent almost 3 quarters of spend, or 73% in this study)

The reason for this is that they linked all of the organization’s data sources that contained information related to the BoM for each SKU, the revenue for each SKU, and the suppliers for each BOM. By creating a network of connections between components, products, and suppliers, and identifying single source parts, the link between the criticality of a supplier and the revenue became clear. Consider the supplier who supplies that custom control chip for the fuel injection management, cruise control, or even for the monitoring of the tire pressure. If they were to fail, the absence of a single, $10, custom control chip can bring down a multi-million dollar production line, and close down an entire production plant, as the recent semiconductor shortage did to many plants during COVID. Given that these were being put into $10,000 to $100,000 cars, these suppliers would never have blipped on a spend-based risk assessment. And this is just one example.

But it is an example that demonstrates the blind spots companies have with respect to small and specialized suppliers that aren’t in the top 80% of spend but yet supply sole-sourced and/or custom parts or products. This means that when doing a risk assessment, it’s not just risky suppliers or risky supply chains that need to be assessed, it’s any supplier that supplies something that isn’t easily replaced by another source should something happen to the current supplier. The risk could be low that they will fail, and lower still that you couldn’t quickly modify a design to use an alternative, but you don’t know until you assess. And that assessment must be revenue and criticality based, not spend based. Spending $100M with a steel supplier to acquire the raw material for a frame assembly makes the supplier strategic, but doesn’t make using that supplier super risky when all their competitors offer the same grades of steel. But if you need a custom chip for that car, power transformer, etc., and you currently only have one supplier to supply it, then that supplier, no matter how stable and how low-risk its profile looks, is a risk even if it only gets one hundredth of the spend. And you need to determine if it has any vulnerabilities and, if so, monitor them so you won’t be surprised by a sudden failure.

Can’t Get Your Contracts In Your Sights? Maybe You Need a Birdseye.

Birdseye(.digital) was created by With, a Strategic Consultancy founded to enable strategic sourcing and contract management excellence, to solve the most critical problems their clients had in value realization from strategic sourcing: post-signature execution. This, as we identified yesterday in our post on why aren’t you realizing the full value of your sourcing efforts, is one of the primary reasons that up to 40% of value identified during a sourcing project never materializes — as value realization requires proper Procurement (and a proper system), proper logistics (and a proper system), and proper contract execution management (and a system to support that).

Birdseye(.digital) was created for the

  • Procurement Managers,
  • Contract Managers
  • Risk and Compliance Managers, and
  • Legal Counsels and Advisors

who are responsible for managing the organization’s contracts, allowing them to get a 360 view of each contract as well as all contracts that fall under their purview and/or relate to a compliance requirement, risk, or obligation that they are responsible for.

So what is Birdseye(.digital)? It’s fundamentally a contract governance solution that allows you to define:

  • the responsibilities (obligations) of the organization as tasks and action items
  • the risks that need to be tracked and managed
  • the supplier management and (re)qualification activities
  • the stakeholder engagement and surveys

The primary components that allow this are:

  • workflows
  • risk matrices
  • forms
  • review/governance templates (scenarios)
  • calendars
  • dashboards

Workflows

When an obligation or action item is defined and assigned, the platform will track it, notify the appropriate stakeholders when it is coming due, kick off associated activities when a task is done or a status changes, and monitor those as well.

Risk Matrices

A user can associate all risks relevant to each (sub) contract, track their levels, track changes over time (during [regular] review schedules), define notifications on change, and associate mitigations. It can also define a custom risk matrix that derives a color-coded risk level from a combination of the risk probability and the impact of the risk occurrence for easy visual display and classification. This allows users to quickly see if there are any high or critical risks associated with a contract, whether or not mitigations have been defined, and compute an overall risk level of the contract, which can be monitored over time during regular reviews.

Forms

Just like modern RFP solutions, a user can build their own custom review/survey forms with ease and associate them with scenario templates, activities, or one-off projects. They can also attach files as needed.

Contract (Review/Governance) Templates (Scenarios)

The system allows administrators to define scenario templates that define, for a contract of a given type, what obligations and activities should be tracked, what reviews and surveys should be done, how often they should be done, and who should do them (by role). This means that governance for a contract is easily setup simply by selecting a scenario template when a contract is signed or input into the system post signature. Selecting a predefined scenario template from a single dropdown can setup all of the default management activity required over the contract lifecycle with a single click. An organization that takes the time to classify its contracts and management processes can manage contracts with utmost ease.

Dashboards

Of course Birdseye comes with a full suite of dashboards to get complete 360 insight into the contracts, with filter capability down to any subset, individual contract, or subcontract of interest. This allows all of its users to understand how a contract, supplier management effort, compliance initiative, or other activity is going. Since the platform can also be linked to a P2P or ERP system (Oracle, SAP, and any platform with an Open API that allows an invoice to be linked to a contract ID), it can also give you an update on total spend impacted by a contract, category, or initiative.

There are out-of-the-box activity dashboards for projects, contracts, relations (third parties which can be suppliers, consultants, etc.), and catalogues (of products or services that contracts can be linked to), as well as a customizeable activity dashboard for each user that can overview their contracts, projects, relations, reviews, action items, stakeholder contributions, etc. through drillable widgets that can be filtered on every dimension down to the raw data records, which can be popped up or exported as needed. These dashboards, in addition to standard metric/spend dashboards can also be of the Red/Amber/Green Traffic dashboard variety as well.

Calendars

Just like any good (project) management solution, a user can also get a calendar view of an activity, contract, or all of their tasks to easily determine what they have to do and when. The system was designed with management efficiency in mind, because the developers know that any system that is too unwieldy doesn’t get used, and, thus, the only way to extract all of the value out of a contract is to create a system that makes a user’s tasks as easy to identify, and do, as possible. The user can add tasks and activities as needed and customize their calendar to their liking.

Crossing the Ts

As for the basics, you can have as much metadata as you want associated with a contract, and add new metadata fields anytime you need to. In addition to easily being associated with a scenario template of choice, it can have as many tags as you like, be associated with a projected value, be associated with any parent or subcontracts, and have as many attachments (with versions) as required. In addition to the action items, risks, and obligations discussed, it can also have associated issues, rights, catalogues, invoices, reviews, stakeholders, and connected projects (such as reviewing all contracts with a generic force majeure clause). There are also checklists that can be associated with contracts and projects to help a user ensure they’ve dotted all the i’s and crossed all the t’s in the execution of the contract.

If the contract (template) is not created in the platform, when a user uploads an agreement, they use AI to identify all of the meta-data that is associated with a contract of the given type (using Google Gemini today, but future releases will allow users to choose between Google Gemini or Anthropic Claude, where they found the latter works better for organizations that contract in multiple languages), and not only allow the user to override anything it extracts (as it’s not perfect) but show the user its confidence ranking. The user can filter by confidence and only needs to review/validate low confidence options to have extremely high confidence in the auto-extracted metadata.

System Administration and Configuration

As we have hinted above when we noted that the user can add and track any metadata fields that they like, the system is very configurable and the administrator also has full control over:

  • business unit hierarchy which can define visibility rights
  • users who can be assigned very broad, or very narrow, roles
  • tags that can be defined and modified as needed
  • reviews and the processes and timelines they follows
  • tasks and the basic templates and workflows
  • email templates that are used for notifications
  • currencies and mappings that are used if invoices are pulled in for spend tracking
  • usage monitoring and define how to track who is, and is NOT, using the system
  • folders and structure for contracts and attachments
  • deleted record management as even deleted records are preserved for audit trails until a user with authority determines they can be permanently deleted

It’s a well thought out, usable, and fairly complete contract execution management system that goes well beyond just creation, storage, and signing … which we know is where many older generation contract lifecycle management solutions stop. The most important point to make is that they’ve found that their customers who fully embrace the solution see a 30% value increase from using the solution. Now, this shouldn’t be taken to mean that it can singlehandedly prevent the loss of the 30% to 40% of identified savings that is traditionally not realized after a sourcing event, but that it prevents about a third of that loss and, if combined with a good e-Procurement system and good logistics management, you might actually be one of the first organizations to realize almost all of the savings you negotiate (since a good e-Procurement systems typically increases savings capture by a third as well, and proper logistics paired with proper warehouse and inventory management saves a bundle as well). The 2X process efficiency alone that its clients see more than pays for the system, so imagine the results if you realize another 30% value on the identified savings of every sourcing project. (Combined with the 50% reduction in audit findings its clients also see, which increase drastically for any customer with an integrated P2P that ties invoices to contracts as they can check full payment compliance as often as they need to.) So if you are missing a birds-eye view into your contracts, maybe you should check out Birdseye(.digital).

2025 Is Just Another Year … But Is It All Doom and Gloom? Part 5 (Risk Reduction)

It’s just another year, unless you look beyond the hype, identify true talent, give them real solutions, and then truly tackle the threats … with strategies for success.

Supplier (Plant) Shut Down

In reality, typically only three things shut down a supplier:

  • Bankruptcy
  • Disasters
  • Governments

With respect to each of these:

  • you can typically predict bankruptcy from financial monitoring, which is easily available for public companies, semi-available for private companies that survive off of international trade (just monitor the public trade data), and highly correlated with a noticeable decrease in quality or performance (which can be predicted off of your data)
  • you can’t predict disasters, but based on geo-location, you can predict type and likelihood, and subscribe to news-based event monitoring services to identify when one happens that likely impacts your supplier (and then verify) so you know the minute a disruption occurs, and not three months later when the order doesn’t materialize
  • governments will generally only shut down a company if it is a fraudulent enterprise or when they are taking something over that was private; your category expert consultant can let you know whether or not the country the supplier/plant is in has a history of forced public acquisition or is eyeing restrictions on the industry (and otherwise, the risk is pretty much non-existent)

Supplier Becomes Unreachable

This usually happens as a result of three things:

  • sanctions
  • border closings
  • customs / port shutdowns due to strikes

With respect to each of these:

  • sanctions are typically politically driven and hard to predict, but a sanction list monitoring service can inform you within 24 hours if a supplier or connected party has been sanctioned
  • border closings usually result from trade wars or real wars, and news monitoring can indicate potential that can be monitored, and once the threat gets too high, you can proactively identify new / switch suppliers
  • customs / port contracts with unions in terms of validity dates are typically public knowledge, and you can monitor when they end, and whether there is any news that negotiations have started once you get close (say 3 months) to expiry … as well as monitor statements put out by both sides during negotiations that could indicate a strike (vote) (and look at the history to see how often a strike [vote] results in a strike, how long it usually lasts, etc.)

Supplier Loses Access to Raw Materials

With respect to a supplier losing supply, they have the same risks you do with respect to supply lines, plus two more major ones and one more minor one:

  • sanctions, border closings, and strikes
  • mine collapse / crop destruction from a natural disaster
  • government reclamations or limitations on natural resource extractions
  • mine / well runs dry!

With respect to each of these risks, if you map your supplier’s critical supply chain:

  • you can monitor sanction lists for sub-tier suppliers and news sources for events that would lead to border closings and strikes as you do for your suppliers
  • you can monitor news sources for events that indicate a natural disaster that would threaten or destroy raw material supply
  • you can research past history and monitor news sources for indications a government might restrict access to or reclaim natural resources from the private supplier in your supply chain
  • you can contact environmental experts to determine when a given source a sub-tier supplier depends on might run out!

Logistic Route Cut-Off

This is pretty straightforward to enumerate. In addition to port closures above, you have:

  • major carrier strikes and failures (as only public postal services can run deficits ad infinitum)
  • natural disasters that take down major roads, bridges, and ports
  • intermediate border closings on current routes

And the way you handle each of these is to:

  • monitor the financial scores from the financial monitoring services and the union contract expiry dates to know when you need to look for negotiations and negotiation status to try and predict if you will need to lock in new carrier contracts before competitor quotes go through the proverbial roof in response to your carrier striking
  • monitor news sources for natural disaster events along your major supply routes
  • monitor geopolitical situations across countries on your routes

Procurement risk management doesn’t have to be hard to not only be good enough, but considerably better than your peers. Dwell on that.

2025 Is Just Another Year … But Is It All Doom and Gloom? Part 4 (Risk Redux)

It’s just another year, unless you look beyond the hype, identify true talent, give them real solutions, and then truly tackle the threats.

Risk Management IS Easy

And so is getting started with risk management as long as you approach it correctly! The key is not to try and identify every conceivable risk that might impact your business (there are literally too many to enumerate now and trying will drive you mad — but if you really want to try, we suggest starting with the 101 Damnations that SI chronicled for you back in 2015), but to identify what impacts would seriously hurt your business and work backwards to risks from there.

For example, if your primary revenue stream is products, what are your major product lines where a disruption would significantly hurt (and possibly even end) your business? Analyze the Bills of Material and identify what are the key components that can’t be easily sourced from a different vendor because they are proprietary and/or need a specialized manufacturing process. It doesn’t matter how much you spend on them or with the supplier, it matters how hard it would be to replace the component if it suddenly became unavailable.

Once you identify those critical components, look at

  • the supplier,
  • where the supplier is located,
  • what critical material inputs the supplier needs to make the component, and
  • how it gets the component to you.

The critical risks, that you have to monitor for, mitigate, and manage if they arise are precisely those risks that would

  • shut down the supplier
  • cut the supplier off from you
  • cut the raw material supply to the supplier
  • cut off the logistics routes you depend on

That’s it. Yes, there are more risks. Yes, they could occur. Yes, they could have a big impact on your brand and your business. But chances are that as long as you keep getting product in, selling that product, and moving it out, i.e. as long as you have assurance of supply, everything else will eventually blow over or be forgotten. Even if there is a temporary disruption in profit, it will return and the business will continue. Sensationalist media can’t keep people’s attention if it tries to sell them the same story everyday, so unless your product actually kills people, you don’t really need to worry about brand damage (unless it’s due to a lack of quality control, but you should already be ensuring that on every contract signature and critical shipment). (Plus, preventing brand damage for something out of your control is PR’s job anyway!)

If you analyze these four risks, and cross-correlate with the World Economic Forum’s Global Risk Report, you’ll see that most of the time there’s not that many risks with a reasonably significant chance of occurrence that you really need to worry about. (Except Pandemics! There’s going to be more of those as the world still isn’t ready for them and wont’ make the investment to get ready for them.)

Focus on identifying the risks around supplier and supply, and you’ll be leagues ahead of your peers.

Myth-busting 2025 2015 Procurement Predictions and Trends! Part 7

Introduction

In our first instalment, we noted that the ambitious started pumping out 2025 prediction and trend articles in late November / early December, wanting to be ahead of the pack, even though there is rarely much value in these articles. First of all, and we say this with 25 years of experience in this space, the more they proclaim things will change … Secondly, the predictions all revolve around the same topics we’ve been talking about for almost two decades. In fact, if you dug up a Procurement predictions article for 2015, there’s a good chance 9 of the top 10 topic areas would be the same. (And see the links in our first article for two “future” series with about 3 dozen trends that are more or less as relevant now as they were then.)

In our last instalment, we continued our review of the 10 core predictions (and variants) that came out of our initial review of 71 “predictions” and “trends” across the first eight articles we found, in an effort to demonstrate that most of these aren’t ground-shattering, new, or, if they actually are, not going to happen because the more they proclaim things will change …

In this instalment, we’re again continuing to work our way up the list from the bottom to the top and continuing with “Risk & Compliance”.

Risk and Compliance

There were 10 predictions across the eight articles which basically revolved around “risk management strategies” with some sideline focus on the need for “resilience”, “cybersecurity”, and “compliance”. As with almost every “prediction” and “trend” in this series, this is yet another prediction that makes headlines every year, no more important this year than the last, and no more likely to get any more attention until a major event happens that significantly disrupts the organization, a disruption that could have been prevented with better risk management systems and processes. Before we discuss further, as is our custom, we will list the ten predictions.

  • Blockchain
  • Cybersecurity and Data Privacy
  • Cybersecurity in Procurement
  • Compliance
  • Enhanced Risk Management Strategies
  • Expansion of Risk Management Strategies
  • Geopolitical Instability Shapes Risk Management
  • Resilient Supply Chains
  • Risk Management and Resilience will continue to be a Priority
  • Risk Management

Risk has been increasing year over year for over two decades. It should be front and center in every organization, especially given the facts that very few organizations that have been around for any length of time haven’t been impact to some degree by a disruption event and the chance of an organization of any size not experiencing a disruption in the next year is close to zero. And it does make the top of the charts in the board room, but, unfortunately, it’s still not making the top of the charts in the priorities when it comes to new solution acquisition and new process introduction. In most organizations, it’s just being pushed down to the tactical personnel who execute daily tasks. Personnel who may not have enough of a big picture understanding to manage risk properly in their decisions.

However, given the need for resilience in the age of constant supply chain uncertainty and disruption (due to epidemics and pandemics; border closings and sanctions; strikes and port shutdowns; reduced cargo capacity from perfectly good transport ships being junked during COVID, Houthis in the Red Sea, and Panamanian droughts, trade wars, reduced/cut-off rare-earth/raw material supply etc.), risk should be even more prominent and more actively addressed. Leading organizations will double down on resilience and supply assurance strategy and survive the disruptions relatively unscathed, and those who don’t double down on resilience and supply assurance won’t. It’s that simple.

Given that almost 3/4 organizations were hit with a cyberattack in 2023, which was an all time high and which was only projected to increase in 2024, cybersecurity concerns should also be at an all time high, but given that most organizations relegate that to IT, we know it’s not going to get much better in Procurement. It needs to, considering how much organizational finance flows through Procurement, but it won’t change much.

Finally, organizations know they need to comply with regulation, so compliance is always at the edge of the Procurement mindset, but beyond minimal requirements, it never gets much attention, regardless of how much a few analyst firms or vendors try to push it.

What Should Happen? (But Won’t!)

Organizations need to prioritize the acquisition of a Risk360 solution, or the closest thing it can find, implement it, and monitor it regularly to make sure they detect risks that can impact their supply chain or operation as soon as such a risk occurs. Not after the supply has been cut, not after the organization has been locked out of all their organizational systems, not after key customers have failed and orders evaporated, not after signing a contract with a sanctioned party, and so on. Today, every decision made has to be made risk aware. And without a centralized risk management system, that will not happen.

Six down, four to go!