XXXXXX `XXXXXXXXXXXX

In a constant quest for competitive advantage, too many CEOs are underestimating the power of procurement. It’s time for procurement leaders to change that.

IF YOU DON’T HAVE A 360-DEGREE VIEW OF SUPPLIER RISK, WHY NOT?With smart thinking, strong leadership and the right technology, procurement and supply chain leaders can transform the supplier assurance process – and reduce the danger that a third-party could irreparably damage the business

It takes a lot of time, effort and resource to recall 1.5 million toys. Yet, that is precisely what Mattel had to do in 2007, when it discovered that its main supplier, Early Light Industrial in China, had outsourced the painting of the toys to another company, Hong Li Da, which had used paint that contained potentially poisonous lead. Early Light Industrial had audited the sub-contractor – and even supplied it with the right paint – but the ensuing scandal

rocked Mattel, which only survived because it took swift, decisive action, including an investigation that led to the recall of another 18 million toys that had magnets which, if dislodged, could become a choking hazard.

These are the kind of stories that haunt chief procurement managers and supply chain leaders. Risk, like change, is one of the laws of life, and managing it is one of the prerequisites for a successful enterprise, but we live in an age when risks – geopolitical, social, technological, corporate – seem more profuse, uncertain and complex than ever before. This is particularly problematic because, as a species, homo sapiens is hard-wired to think of the future in terms of lines. Our instinctive preference to assume that the future will be like the present, only more so, and/or that current trends will continue unabated has served us badly in the past five years and turned “agility” into the hottest buzzword in business.

At the same time, Jake Holloway, business development director of Crossword Cybersecurity, a leading technology commercialisation company, says, businesses could do more to help themselves manage these risks – especially when it comes to supplier assurance. “Supply chains are a massive source of risk. Many companies recognise that they are likely to cause significant problems for the business but – with the exception of a few very risk-averse sectors such as nuclear energy, weapons and transport – most organisations simply do not do as much supplier assurance as they want to do.”

This gap between aspiration and performance is becoming more serious as, over the past 25 years, many global companies have built sprawling, intricate, complicated supply chains to reduce costs, ease access to key markets and make their business more resilient. In the process, they have made managing these networks – and assuring

the resilience, integrity and quality of individual suppliers – significantly more difficult, time-consuming and expensive. Even Fortune 500 companies have found this onerous. One aerospace giant’s ambition to develop and produce a new airliner in record time faltered when it ran out of fasteners. Staff resorted to buying up stocks from Home Depot stores.

Many companies are finding it hard to cope with such obvious risks as supplier failure and cybersecurity. Statistics quoted by the Chartered Institute of Procurement and Supply suggest that, over a three-year period, eight out of 10 businesses will experience a supplier failure. The business media is also full of stories in which companies scapegoat suppliers for interrupted services, technological failures and faulty components – Ferrari’s Formula 1 team even blamed a spark plug supplier when Sebastian Vettel had to retire after a few laps of the 2017 Japanese Grand Prix.

Cybercrime continues to wreak havoc on businesses as diverse as retailer Target, mobile phone network Talk Talk, search engine Yahoo!, hotel group Marriott and ride-hailing service Uber.

The threat isn’t going away – a recent Gartner survey found that 95% of CIOs expect cyber attacks to get worse. The troubling aspect of the attack on Target, in which 40 million credit-card details were stolen, was that the hackers broke into its systems through its air conditioning suppliers. This unfortunate episode cost Target at least $300m.

Traditionally, most CEOs have focused on meeting investor expectations but they are increasingly aware that society has expectations, too. These can be hard to measure, manage and control because the risks are so varied, complex and volatile. Social media is now so powerful that no company wants to be named and shamed for driving orangutans from their natural habitat, polluting the oceans with plastic, or using child – or forced – labour in their supply

2

“ We live in an age when risks seem more profuse, uncertain and complex than ever before”

chain. In the instant courtroom of social media, companies can be judged and condemned before they have been able to mount a defence.

Such incidents can do lasting damage. As John Ludlow, CEO of Airmic, the association of managers with responsibility for risk and insurance, noted recently: “The trust your corporate brand commands has become a huge differentiator and has contributed to a shift in corporate value away from tangible assets towards physical ones, such as reputation.”

Managing all these risks – especially if your company has thousands of suppliers – can be a daunting prospect. “At the moment, supplier assurance is typically a very manual, ad hoc, disjointed process that is hardly automated, not quite as standardised as it ought to be and produces data that is as likely to be soiled as shared,” says Holloway.

The two great deterrents to transforming supplier assurance are time and money. “Assessing risk across your entire supplier database can be expensive, especially if you’re doing it manually. Even if you triage resources and focus on the most critical suppliers, most organisations find it hard to convincingly explain why something has gone wrong to risk committees, regulators or shareholders,” says Holloway. This failure is bound to diminish the standing of the procurement, or supply chain function, in the eyes of other internal stakeholders.

In most organisations, suppliers are assessed, with varying degrees of thoroughness, during the on-boarding process and seldom after that. Given the pressure on workloads and budgets, companies often understandably settle for easily available financial data which has little relevance to the areas of likely risk. If assurance is being done largely manually, managers are likely to fire off a few “file and forget” requests by email, Microsoft Word or Excel and then, after the law of diminishing returns sets in, stop chasing. Sometimes the process slips down the agenda when a more short-term issue arises and never climbs back up again. Given the speed and scale of change – in regulations, technology and the competitive environment – the success of this approach to supplier assurance can come down to luck as much as judgement.

That may be standard practice – enshrined in the corporate culture as, “We’ve always done it like this” – but it really doesn’t have to be this way. This is a problem many companies have tried to resolve by throwing money and technology at it, rather than laying the groundwork for a new supplier assurance model by doing the following things first:

1. Defining what supplier risk means to the company in all its dimensions. As discussed above, there are many more aspects to corporate risk than there were even 10 years ago.

2. Making the current risk status of each supplier visible to the procurement function and to the board. Technology can help here, by bringing concrete visuals to illustrate what can seem like the abstract concept of the supplier network.

3. Agreeing supplier assurance objectives and KPIs which are reported on. This is crucial if the company is to ensure that its approach to risk is applied consistently across the business.

Six steps to professionalising supplier assurance Supplier assurance can be a manual and time consuming task – which means that businesses aren’t measuring and managing risk as

effectively as they might. Tech can help standardise the process – providing managers have taken the time to do six things:

1. Define what supplier risk means to the company in all its dimensions.

2. Make the current risk

status of each supplier visible to the procurement function and to the board.

3. Agree supplier assurance

objectives and KPIs which are reported on.

4. Establish a supplier triage process that includes all your suppliers

and identifies the worst-case suppliers.

5. Agree a fixed, non-negotiable assurance approach for each level of impact.

6. Invest in automation and an online portal.

3

4. Establishing a supplier triage process that includes all the company’s suppliers and identifies the worst-case suppliers. Crossword Cybersecurity recommends five levels of rating – from very low to very high.

5. Agreeing a fixed, non-negotiable assurance approach for each level of impact. Again, this will help drive consistency and efficiency.

6. Investing in automation and an online portal. Technology is not the entire solution to supplier assurance, but it is impossible to solve it without it.

Rizikon Assurance, developed by Crossword Cybersecurity, gives companies the capability to:

1. Completely standardise questions and have one place where questionnaires are updated with new standards and regulations.

2. Automate supplier reporting, scoring and chasing. 3. Facilitate regular re-assessment (the supplier is responsible for updates). 4. Enable suppliers to share questionnaires with all the relevant people (because no one person ever knows

everything).

5. Construct a smart questionnaire that asks the minimum number of necessary questions (and therefore isn’t as long as James Joyce’s Ulysses).

6. Access relevant financial data from Companies House and credit-scoring platforms. 7. Display all risks in one scorecard view for the function – and the board – to understand.

Companies have grown understandably wary of investing large sums in IT systems that never quite deliver the expected benefits. Yet a supplier portal won’t cost the earth and, with its ability to give procurement and supply chain leaders a 360–degree view of risk that they can share with the board – will enhance their ability to control risk.

There are many uncertainties around supply chains. Companies cannot eliminate them all, but they can reduce them, significantly enhance their understanding of the ones that remain and manage them more effectively.

There are, as a recent report from consultants EY and UK Finance noted, many “soft” issues that can make supplier assurance more difficult than it needs to be: “Organisations can suffer from unclear roles and responsibilities. The risk model may be incomplete or inconsistently applied. Risk management protocols may be inconsistent across each third-party. A multiplicity of governance, risk and control platforms across organisations can hinder streamlined reporting/issue management.”

These issues will all take time, will and patience to deal with and that is, Holloway says, all the more reason to automate what can be automated. By doing that, companies can free up their procurement and supply chain leaders to focus on more strategic challenges. The future may be impossible to see but it is coming. As Holloway says: “For a company not to use technology to professionalise its approach to supplier assurance is a risk not worth taking.”

This report is brought to you in partnership with Crossword Cybersecurity. To learn how Rizikon Assurance can help organisations, particularly large ones, to manage third-party assurance at scale, go to

www.rizikon.io, or contact us at info@rizikon.io; +44 20 3953 8460.

4