Category Archives: Risk Management

Single Tier Risk Mitigation Strategies Don’t Mitigate Risk

… and, in fact, may increase it!

For example, let’s say that risk analysis identifies a disruption risk from southern china with the primary reason being unpredictable transportation due to labour and provider capacity uncertainty. Let’s also say that Procurement decides a good response to the risk is to just triple inventory and instead of working with a 3 week safety stock, works with a nine week. Problem solved, right? No! Problem exacerbated. Why?

Given that production is not likely to notice an issue and raise a flag until they get down to 1 or 2 weeks of stock, simply increasing stock levels is not going to speed up the time in which Procurement is notified of a potential issue. But even worse, if Procurement raises stock levels, chances are Procurement, or the supplier, will increase shipment sizes and send stock less often. This will increase the amount of time before Procurement could sense a problem because if shipment windows increase from 2 weeks to 6 weeks and a disruption happens one day after a shipment, it will be almost 6 weeks before Procurement identifies it, which could be too late for a recovery. Risk increased.

In fact, most mitigation strategies designed at a single tier actually have the potential to increase risk. Let’s take a few:

  • Dual Sourcing
    without careful planning, both suppliers could use the same Tier 2 source
  • Alternative Design
    that reduces / eliminates the need for one rare material in favour of another doesn’t reduce raw material risk of the other material is just as rare or the acquisition / production cost substantially higher
  • Financial Risk Monitoring
    for shakey suppliers doesn’t catch production shortcuts they might be taking to cut costs that increase risk that could result in catastrophic failures
  • Replacement Product Lines
    chances are the replacement product lines share parts and suppliers … you’ve actually increased risk from a disruption, not decreased it

To truly mitigate risk, you have to go multi-tier and work with your supplier to identify the most likely risks, and how to properly mitigate them.

For example, if the risk is:

  • factory shutdown
    you can work with the supplier to ensure a secondary geographically remote location has the ability to recreate the production line quickly
  • transportation shutdown
    have secondary shipment companies, and ports, lined up and ready to go if primaries go down … be ready to truck or rail longer or even airfreight in emergencies
  • financial stress
    the buyer may need to step in and float operations during new production line setup or new product design
  • raw material unavailability
    the options for alternate supply must be known in advance, as with the options for substitute material

But you’re not going to be able to figure out the right secondary location, transportation options, financial mitigation strategies, or raw material strategies on your own. Don’t try. Work with your strategic suppliers and get it right.

What’s Procurement’s Role for 2018?

Watchdog.

As we enter the new year, the predictions and prognostications are going to get crazy again. And, like always, they are going to be of the obvious variety or, as the public defender points out, of the wild guesses.

But the reality is that from a process, power and performance perspective, not much will change … it will be the continual slow prod forward that it has been for the last decade. However, as the past few years have shown us, one thing is constant. Suppliers will fail. Disruptions and Disasters will happen. And your technology vendors will get acquired.

We’ll start with this last point first. Over the past year, Jaggaer and Coupa tried to outdo each other in an acquisition frenzy. Spend360 and Pool4Tool and Trade Extensions and BravoSolution all scooped up by Procurement space giants trying to get bigger. No matter how big, how successful, how stable, or how much they indicate a desire to remain independent, they could literally be scooped up tomorrow. Everyone has their price, and if it’s a PE firm, the company is flipped as soon as that price is met. And as we discussed in our recent post on M&A on how The Mania Continues, if this means there is solution duplication, at some point, you can be pretty much assured someone’s solution is going away. M&A’s are done to enhance synergy of offering or enhance profit through synergy of operation where you can reduce staff and product footprint against a larger customer base.

This means that Procurement has to expect that, at some point, at least one of its preferred platforms is going up in smoke, and has to be on the ball to identify what platform may be at risk, when, and what steps will have to be taken to mitigate that risk.

Similarly, it will have to insure it is keeping an eye on all critical suppliers — which, as the best know, is not just the 20% of suppliers who get 80% of the spend, but any sole-source or dual-source supplier that supplies a product or service critical to the organization’s primary product lines. If the product line could not be offered, or not offered to the full extent, without that supplier, any impending issues need to be detected early. This will mean keeping an eye on the organization’s credit risk, timeliness (if shipments get later and later, that could be an indication of trouble), sustainability ratings, negative mentions in the news, and so on. (An SRM solution that integrates with risk watchdogs will be critical.)

And, finally, it has to be on the alert for natural or man-made disasters that can pose a risk to parts of its global supply chains. It not only needs to know when an event happens that could affect a critical part of its supply base, but what suppliers in particular will be effected.

It has to be a watchdog on constant alert. Just sourcing and negotiating great deals is not enough. They have to be realized. And, for that, Procurement must be the best watchdog there is.

Are You Doing Your Own Quality Spot Checks? And Should You Be?

By now, if you haven’t heard of the Kobe Steel Scandal, you’ve been living in a cave. (Which, in some organizations, is highly probably given that one of the tricks the CFO likes to do to Procurement when fiscal year end is approaching is to lock them in the basement until the mandatory savings objective is reached … hence our post yesterday on why every day is Halloween for some Procurement departments.).

This scandal is scary. Not only because the data falsification on strength could go back as far as 10 years on some batches, and who knows what bridges, high-rises, and busses that steel has gotten into (and even a .1 degradation, while not enough to jeopardize immediate safety, can impact expected life span and increase susceptibility to decay, making safety a concern down the road before inspection and maintenance schedules kick in).

But this brings up a good point? If more companies were doing more spot checks on shipped product and quality, instead of just trusting Kobe, would it have been 10 years before the scandal was exposed. Even if only a small percent of batches are affected, I highly doubt this would have been undetected for 10 years, even if only one bar or sheet in multiple shipments were tested.

This is an example of what happens when finance tries to get too greed or supply chains to lean by centralizing a function downstream. When one party is responsible for everything, one failure can reverberate up multiple chains undetected — and have potentially disasterous consequences. Now one might say this problem is solved by co-locating people on-site, but if those people never leave the site, even though you pay their salary, their work family is the people they work with day in and ay out and the existence of that company is their livelihood. Are you sure they won’t bow into the local culture and, if the culture dictates, defer to authority or collectively hide the shame?

Just like third party audits are needed, for critical materials, so are third party quality tests. Doesn’t have to be you, could be an independent organization set up between your co-opetition that does random independent quality spot-checks on 1 in 10 shipments and shares the data with everyone.

Just like a good Chef would never use an ingredient without insuring it’s quality, a good Procurement organization should never let a shipment be accepted without a high degree of confidence that it’s a quality shipment. And confidence like that only comes from organizational testing or trusted third-party independent testing. So don’t get too lean or too cheap — your organization, and the lives of its customers, could depend on it.

Are We About to Enter the Age of Permissive Analytics?

Right now most of the leading analytics vendors are rolling out or considering the roll out of prescriptive analytics, which goes one step beyond predictive analytics and assigns meaning to those analytics in the form of actionable insights the organization could take in order to take advantage of the likely situation suggested by the predictive analytics.

But this won’t be the end. Once a few vendors have decent predictive analytics solutions, one vendor is going to try and get an edge and start rolling out the next generation analytics, and, in particular, permissive analytics. What are permissive analytics, you ask? Before we define them, let’s take a step back.

In the beginning, there were descriptive analytics. Solutions analyzed your spend and / or metrics and gave you clear insight into your performance.

Then there are predictive analytics. Solutions analyzed your spend and / or metrics and used time-period, statistical, or other algorithms to predict likely future spend and / or metrics based on current and historical spend / metrics and present the likely outcomes to you in order to help you make better decisions.

Predictive analytics was great as long as you knew how to interpret the data, what the available actions were, and which actions were most likely to achieve the best business outcomes given the likely future trend on the spend and / or metrics. But if you didn’t know how to interpret the data, what your options were, or how to choose the best one that was most in line with the business objectives.

The answer was, of course, prescriptive analytics, which combined the predictive analytics with expert knowledge that not only prescribed a course of action but indicated why the course of action was prescribed. For example, if the system detected rising demand within the organization and predicted rising cost due to increasing market demand, the recommendation would be to negotiate for, and lock-in supply as soon as possible using either an (optimization-backed) RFX, auction, or negotiation with incumbents, depending upon which option was best suited to the current situation.

But what if the system detected that organizational demand was falling, but market demand was falling faster, there would be a surplus of supply, and the best course of action was an immediate auction with pre-approved suppliers (which were more than sufficient to create competition and satisfy demand)? And what if the auction could be automatically configured, suppliers automatically invited, ceilings automatically set, and the auction automatically launched? What if nothing needed to be done except approve, sit back, watch, and auto-award to the lowest bidder? Why would the buyer need to do anything at all? Why shouldn’t the system just go?

If the system was set up with rules that defined behaviours that the buyer allowed the system to take automatically, then the system could auto-source on behalf of the buyer and the buying organization. The permissive analytics would not only allow the system to automate non strategic sourcing and procurement activities, but do so using leading prescriptive analytics combined with rules defined by the buying organization and the buyer. And if prescriptive analytics included a machine learning engine at the core, the system could learn buyer preferences for automated vs. manual vs. semi-automated and even suggest permissive rules (that could, for example, allow the category to be resourced annually as long as the right conditions held).

In other words, the next generation of analytics vendors are going to add machine learning, flexible and dynamic rule definition, and automation to their prescriptive analytics and the integrated sourcing platforms and take automated buying and supply chain management to the next level.

But will it be the right level? Hard to say. The odds are they’ll make significantly fewer bad choices than the average sourcing professional (as the odds will increase to 98% over time), but, unlike experienced and wise sourcing professionals, won’t detect when an event happens in left-field that totally changes the dynamics and makes a former best-practice sourcing strategy mute. They’ll detect and navigate individual black swan attacks but will have no hope of detecting a coordinated black swan volley. However, if the organization also employs risk management solutions with real time event monitoring and alerts, ties the risk management system to the automation, and forces user review of higher spend / higher risk categories put through automation, it might just work.

Time will tell.

To Truly Be Successful at Supplier Risk Management, ADMIRE!

Now that we’ve carefully explained that you’re just not up to the task of preventing a black swan event, hopefully you have made risk management a priority. So, to help you understand, at a high level, what this is, we’re reprinting this classic post from 2010. Most of the articles out there get the basics wrong, but if you get them right, it’s not that hard to do a decent job (especially if you get a good platform to help you out). Enjoy!

Not only is supplier risk at the forefront of thought these days, but articles on it are at the forefront of online publications as well, including this recent article in Supply Chain Digest on the key drivers of successful supplier risk management. However, most of the articles miss the point.

For example, according to this article, the trick to successful supplier risk management is to:

  1. engage top-level management,
  2. segment suppliers based on relative risk,
  3. rigorously measure and manage risk,
  4. give category managers tools and training, and
  5. collaborate with key suppliers.

Which is all good advice that is fine and dandy, but it misses the point. Risk management is all about identify risks, identifying mitigations, monitoring risks, and executing mitigations at the appropriate time. Management support is important, but it doesn’t have anything to do with risk identification or mitigation. Segmentation is a good tactic as more attention needs to be placed on suppliers which represent more significant risks, but again it has nothing to do with risk identification or mitigation. The same goes for giving category managers tools and training. Collaboration is relevant only if the mitigation requires collaboration. In other words, in this list, the only key driver is the “rigorous management and mitigation of risk”.

The reality is that success depends on your ability to ADMIRE the situation. Specifically, the ability to:

  • Ascertain the risks,
  • Define the risks that could cause significant damage,
  • Monitor those risks,
  • Identify appropriate mitigations,
  • React when signs of the risk begin to materialize, and
  • Engage the supplier when collaboration is required to mitigate the risks and
  • rinse and repeat

That’s it. But don’t forget the rinse and repeat. The biggest risks today are not the biggest risks tomorrow, so you always have to be actively engaged in risk management. Always. And since there are always more risks than you can actively address and mitigate, at any particular time you need to focus on the major ones (but still monitor for, and evaluate, the rest and as soon as they become likely or potentially costly, elevate the priority so that a mitigation plan is prepared in time).

Share This on Linked In