Category Archives: Risk Management

Six Ways Companies Mismanage (Supply Chain) Risk

A recent Harvard Business Review article by Rene M. Stulz dives into “six ways companies mismanage risk” (membership required) that are just as applicable to supply chain operations as they are to financial operations. As the article points out, these missteps are just as likely to occur in good economic times as they are in the rough economic times we are currently experiencing, but rough times will magnify the impact of the mistakes considerably.

The six mistakes highlighted in the article are:

  • reyling on historical data
    Historical data is a starting point, not a destination. For example, look at how well real estate investment managers who assessed risk on the basics of statistics over the past three decades did in 2007. Closer to home, consider how well you would have done in your fuel hedges in early 2008 (before the price of oil dropped over 60%) or with your logistics hedges in late 2007 (before global shipping volumes were cut in half).
  • focussing on narrow measures
    Focussing only on-time deliveries misses the point. It’s about the perfect order — the right product of the right quality shipped using the right method with the right carrier at the right price delivered to the right customer at the right time. If you ship the wrong product, or the quality is insufficient, or you have to expedite it and it costs three times as much, you’re losing money and your metric will never capture the losses.
  • overlooking knowable risks
    Meticulous review and careful thought allows one to identify almost every possible risk, including risks in the instruments used to measure the risk. For example, if you are using an index to hedge against cost increases, and that index lags reality by three months, you could be cut off-guard by rapid cost increases or decreases due to unexpected supply or demand disruptions (caused by natural disasters, for example).
  • overlooking concealed risks
    Risk takers in your organization may deliberately hide risks that they feel are unlikely, and jeopardize an entire sourcing plan or production line. For example, if you’re in food, and your supply manager decides to source all of your tomato crop from coastal Florida because of volume-based cost savings, you’re at risk of an immediate supply disruption every time a hurricane sweeps up the cost.
  • failing to communicate
    If you can’t clearly explain the risks in your plan, systems, and organization, chances are they’ll be ignored, or at least severely underestimated. For example, if you’re assuming uninterrupted supply from a single-source supplier, and that risk goes overlooked, that could be a real problem in this economy.
  • not managing in real time
    Unless you’ve been hiding under a rock in a cave, you’ve probably noticed the volatility of the global markets lately, including supply volatility (as suppliers go out of business) and demand volatility (as customers reduce their spending).

All these mistakes will cost your dearly in the current economic climate, so its worthwhile reviewing your risk management strategy to make sure you haven’t made any of them. For more information on risk management, and best practices, see the risk management posts here on Sourcing Innovation.

Is Your Legal Team Ready (for Supply Chain Litigation)?

A recent CFO article on The Next Wave did a great job of pointing out that litigation is likely to spike again this year, starting next quarter. Noting that recession-related litigation last spiked in 2001 when the dot-com bubble burst, the wounds of recession often encounter a particularly painful form of salt as corporate attorneys stand ready to pour it on if they sense weakness in a rival, or a way to compensate for their own economic woes. Legal wrangling is already erupting across the board as aggrieved plaintiffs battle over breached labor contracts, unwarranted (executive) layoffs, dubious financial disclosures, broken supply chains, ailing strategic partnerships, ravaged 401(k) plans, unjust competitive practices, intellectual-property infringements, and curtailed credit lines. And as the article notes, that’s only a starting list.

Furthermore, the experts are expecting an avalanche in legal activity, starting as early as next quarter, with electronic discovery, intellectual property rights, anti-trust initiatives, and foreign corrupt practices leading the way, even though large companies are already spending millions a year on litigation. (In 2007, one in five large U.S. companies spent $10 Million or more on litigation, and the number of smaller companies spending more than $1 Million on litigation increased threefold.) As such, companies should expect their rivals to dust off their patents, pull out all the stops against perceived monopolies and their acquisition activity (under the “anti-trust” umbrella), report them on any practice that could be considered a foreign corrupt practice (in hopes that a resultant fine will bankrupt them), and challenge any e-discovery initiative as violating client-attorney privilege.

So what can you do to mitigate the risk?

  • Legal Team Readiness
    Make sure your legal team is primed and ready for unexpected, unwarranted, and ill-conceived litigation. They should be fully staffed; up-to-date on corporate policies, practices, and promotions; and supported by legal experts and support firms already on retainer.
  • Patent Perception
    Make sure that your legal team is well versed in the patents owned by your competitors and the usual patent trolls in your industry and that preliminary arguments as to why they don’t apply and / or why they are invalid (proof of prior art) are already drafted. In addition, they should be ready with counter-arguments as to potential violations of your patents by your competitors. Sometimes, nothing quashes a patent suit faster than the threat of a valid counter-suit.
  • Acquisition Acuity
    Avoid any acquisitions not already under way that could be seen as contributing to a monopoly, and insure that you have lots of facts, figures, and expert opinions ready to go as to why your current merger and acquisition plans will not result in a monopoly. If you do your homework, you just might be able to get the case thrown out before it ever gets to trial.
  • Practice Proofing
    Make sure your legal team has an expert (on retainer) on the laws with each country you are doing business with as well as the foreign corrupt practices act, alien tort claims act, and other laws that could be used to bring charges against your firm on home soil. Have that expert review all of your proposed dealings before any contracts are signed, before any money changes hand, and before any new operations are initiatied.
  • e-Discovery Deftness
    Have your legal and IT teams do a thorough review of the e-Discovery service(s) that you plan to use and insure that their processes are sufficient to prevent disclosure of attorney-client privileged information at least 99.999% of the time. (If you expect that from your SaaS offerings, you should expect it from your e-Discovery offerings! There’s no way that 800 documents should slip through in a batch of only 78,000, as that’s an error rate of 1.02%.) After all, every attorney-client privileged document that slips through is a piece of key evidence that you could be denied.
  • Quality Quest
    If you’re linked to a salmonella, melamine, or other food safety scandal in any way, shape, or form, you’re pretty much guaranteed to be a defendant in a class-action lawsuit these days. Your only defense (against criminal / federal action) is to prove that you exceeded every federal regulation and quality standard and were methodical and religious in your quality testing.
  • Security Strafing
    With the recent changes to the IEEPA that increase the civil penalty for a “person to violate, attempt to violate, or cause a[n export] violation to “an amount not to exceed the greater
    of (1) $250,000; or (2) an amount that is twice the amount of the transaction that is the basis of the violation
    “, the introduction of 10+2 where an importer importers can be charged with fines equal to the shipment value if they fail to
    file and face charges of $5,000 per transaction with missing or inaccurate data
    , and an increasing number of customs audits (especially against those companies without a solid C-TPAT history), it’s only a matter of time before your weak links are discovered … and if those weak links including non-compliance with one or more regulations, you could be risking a multi-million dollar fine. Do a security compliance audit before the fact, and if you find any discrepancies, voluntarily report them (under the guidance of external legal council) immediately.

A Great Guide to Outsourcing Risk Management, Part V

In Part I we discussed the starting point of your outsourcing project and how you go about selecting service providers to issue RFPs to. In Part II we discussed proposal evaluation and in Part III we discussed the dispute resolution process that needs to be addressed up-front in the contract. Then in Part IV we discussed the service level agreement. Today we will discuss what you do after the deal is signed, and remind you to check out the full series on outsourcing risk management by Alsbridge, as printed by SourcingMag.com, that the first four parts of this series is partially based on as well as “4 dimensions to managing your service provider” that today’s post is partially based on.

Now That The Deal Is Signed, What Do You Do Next?

You manage the relationship. It’s important to remember that risk management is a continual process of planning, monitoring and control that will last the lifetime of the project. It might seem intuitive, but a lot of companies believe that once the deal is signed, it’s the vendors problem. It’s the vendor’s responsibility, but it’s still your problem as it’s still your liability. You’re the one that can be fined and imprisoned under SOX (like poor old Fox) if you file incorrect financial statements, fined and imprisoned under IEEPA if you buy or sell the wrong kind of product from or to a denied party, and fined or imprisoned under a host of other import and export control and financial acts.

An outsourced function requires continual oversight and change management. There should be weekly oversight meetings between project managers and immediate escalation of any issues that can’t be amicably resolved within the allowed time-frames, and issues should be primarily identified on an exception basis. The meetings should only focus on issues and yellow and red-light metrics — anything green and going well doesn’t need to be discussed. In addition, all information on issues to be discussed should be made available on the corporate intranet well in advance of any meeting so that all parties can be briefed on the issue before hand and the meeting can focus simply on resolution.

After Months and Months of Work, Your Outsourcing Project Finally Hit ROI. Now What?

You keep monitoring, you keep managing, and, more importantly, you look for ways to improve the initiative. You didn’t spend weeks defining and negotiating that iron-clad contract with extensive SLAs, Change Management Provisions, and Staged Milestones for nothing. You put all that effort in up-front so that you could continue to extract better and better returns on the back-end. So look for areas of improvement, streamline the processes, and move it forward.

So How Do You Manage the Relationship?

Carefully. The first thing to remember is that vendors work for other people’s shareholders. To gain the payoff while minimizing costs and risks, vendors must be carefully managed, otherwise the full ROI will never materialize. The next thing to remember is that vendors feel they are getting paid to deliver results as fast as possible, not to manage the life-cycle their work product is part of. Some vendors are more than willing to sacrifice quality for “quick results”, especially if they believe they are only being paid for the latter or that they won’t be around to deal with the eventual consequences of cutting corners.

It takes a lot of time to manage outsourcing. In addition to the usual technical guidance, you also have to manage the HR issues. Not only might you find yourself in the position where you have to hound them to fill vacancies, but you might have to pressure them to replace staff if the staff they assign you aren’t good enough. Then you need project manager buffers to keep the more aggressive service providers at bay who will be all over you to outsource even more activities or start new projects. And your compliance and legal staff will have to constantly monitor their performance with respect to the contract to make sure that they are holding up their end of the agreement. The reality is that everything you were monitoring before still has to be monitored, and probably has to be monitored more regularly. Plus, you will need to review their performance on a regular basis against every function they are doing for you. That’s why you only outsource functions that have associated economies of scale. For example, invoice processing in a mid-size or larger organization that requires ten or more staff to process the invoices is a good candidate. Invoice processing in an organization that only keeps three full time staff busy is not, because they’ll still need to retain one or two people to monitor throughput and handle exceptions and you want the cost of the monitoring resources the organization needs to maintain to be less than the savings obtained from outsourcing the function.

Essentially, for each function you outsource, you need to retain at least one person internally who did that function to monitor the performance of the service provider and help resolve issues as they arise. And then they have to pass on any issues that go unresolved for more than a minimal amount of time to the project manager to get resolved at the next meeting. Outsourcing can pay off where there are economies of scale to be had, but only if you remember to monitor it carefully and help the vendor improve their performance year-over-year and quarter-over-quarter. Otherwise, you’re better off just hiring more people internally to tackle more strategic sourcing projects and increase your savings that way.

A Great Guide to Outsourcing Risk Management, Part IV

In Part I we discussed the starting point of your outsourcing project and how you go about selecting service providers to issue RFPs to. In Part II we discussed proposal evaluation and in Part III we discussed the dispute resolution process that needs to be addressed up-front in the contract. Today we will discuss the service level agreements, and remind you to check out the full series on outsourcing risk management by Alsbridge, as printed by SourcingMag.com, that this series is partially based on.

So What Do You Need With Respect to Service Level Agreements?

Vague, optimistic promises of a happy life together may work for some personal relationships, but they don’t work between two companies. Creating a well-defined SLA to define your organization’s needs and expectations has many benefits, including the:

  • provision of a common understanding of exactly what service is being provided (how, when, where, when, by whom, etc.)
  • definition of common realistic expectations
  • simplification of complex issues by focussing on what is important
  • reduction of conflict by eliminating what’s not important
  • clarification of the bonuses for exceeding SLAs and the ramifications for failing to meet delivery requirements
  • framework for later modification and improvement as the need arises

When deciding what to measure, remember that you shouldn’t measure anything that shouldn’t be quantified. For example, use phrases like “99.99% uptime” not “make our customers happy”. The first is objective and a measurement can be clearly defined. The second is subjective, and there’s no way to objectively measure it. Response time is important, but instead of saying “respond rapidly to customer inquiries”, define a maximum hold time of 10 minutes and then you can define a penalty metric if more than five calls per week exceed the maximum hold time.

Also be sure to clarify your responsibilities and the support a provider requires to meet their metrics. For example, if they are expected to investigate any issues that arise relating to the integration of their external systems with your internal systems, you must ensure that they have the right level of access at all times. Otherwise, they can’t be held responsible for missed delivery targets.

And make sure the number of metrics tracked is reasonable. Too few, and you can’t really measure how well the provider is operating (or define penalty clauses if more than a certain percentage of the metrics are missed in an evaluation period, since 20% of the metrics will always be missed every time the provider misses 1 metric if you only track 5). Too many, and the bookkeeping requirements are too costly and onerous for both parties. Somewhere between 10 and 20 is usually just fine if you focus on the right metrics. (And if you’re not sure what metrics to select to diagnose a sick patient, call the doctor.)

Finally, don’t forget that you need a baseline period. Typically, the first quarter is used to define a baseline and the provider is then measured starting in month four. (It typically takes two months of “transition period” where control is shifted to the provider and the “kinks” are worked out before you can extract a solid baseline in month three.)

When it comes to defining bonuses and penalties, you need to be somewhere between a new mug and a vacation in Hawaii for the former and somewhere between a slap on the wrist and the electric chair for the latter. Bonuses that are too trivial won’t entice the provider to step up their game, but bonuses that are too extravagant will end up costing you dearly as the provider will go out of their way to insure they do everything in their power for free money. Similarly, if all the provider gets is a slap on the wrist, they’re not going to care whether or not they hit a performance target or not. But if you threaten the electric char, if the provider even signs the agreement, you can be sure the fees for the service level guarantees will be exorbitant as they will have to build in a financial safety net. Be fair, and you’ll get the best possible deal.

In the next, and final part, of this series, we’ll talk about what you do after the contract is signed.