… but it does not identify those vulnerabilities, although it can tell you where to start looking. So while an article in the SCMR last year provided a good overview on how to evaluate, and quantify, supplier risk, the title was misleading when it said they were calculating business risk to identify supply chain vulnerabilities.
The article, which described an approach by the authors to find a way to improve the evaluation of risk impact on a business, culminated in four main findings. The approach, which looked at the total financial impact a supplier failure would have, yielded two findings that we’ve known for over a decade, ever since Resilinc pioneered the approach of assessing the financial risk associated with a supplier failure (based on mapping where all of their parts are used and which of those are single source)
- procurement spend with a supplier is NOT correlated with the financial risk of a supplier
- part standardization can increase business risk impact
As well as two insights that are rather new:
- procurement spend is not correlated with the revenue of the company (the Resilinc model could have shown this, but they did not focus on this or collect those metrics last time SI was made aware of their methodology)
- true high-risk impact suppliers are a substantially smaller amount of spend than an organization might think; in the authors’ study, they represented only 28% of total spend (whereas most companies will highlight the high spend suppliers as high risk and identify the suppliers that represent almost 3 quarters of spend, or 73% in this study)
The reason for this is that they linked all of the organization’s data sources that contained information related to the BoM for each SKU, the revenue for each SKU, and the suppliers for each BOM. By creating a network of connections between components, products, and suppliers, and identifying single source parts, the link between the criticality of a supplier and the revenue became clear. Consider the supplier who supplies that custom control chip for the fuel injection management, cruise control, or even for the monitoring of the tire pressure. If they were to fail, the absence of a single, $10, custom control chip can bring down a multi-million dollar production line, and close down an entire production plant, as the recent semiconductor shortage did to many plants during COVID. Given that these were being put into $10,000 to $100,000 cars, these suppliers would never have blipped on a spend-based risk assessment. And this is just one example.
But it is an example that demonstrates the blind spots companies have with respect to small and specialized suppliers that aren’t in the top 80% of spend but yet supply sole-sourced and/or custom parts or products. This means that when doing a risk assessment, it’s not just risky suppliers or risky supply chains that need to be assessed, it’s any supplier that supplies something that isn’t easily replaced by another source should something happen to the current supplier. The risk could be low that they will fail, and lower still that you couldn’t quickly modify a design to use an alternative, but you don’t know until you assess. And that assessment must be revenue and criticality based, not spend based. Spending $100M with a steel supplier to acquire the raw material for a frame assembly makes the supplier strategic, but doesn’t make using that supplier super risky when all their competitors offer the same grades of steel. But if you need a custom chip for that car, power transformer, etc., and you currently only have one supplier to supply it, then that supplier, no matter how stable and how low-risk its profile looks, is a risk even if it only gets one hundredth of the spend. And you need to determine if it has any vulnerabilities and, if so, monitor them so you won’t be surprised by a sudden failure.