How Ignoring the Risk in Your Supply Base Can Cost You $1.6 billion

If you work in procurement, supplier risk management should be on your radar – but are you aware of all the risks you face?  

All professionals involved in the procure-to-pay process should be aware of this important issue. Why is this so important?

According to Terry Kohn, Principal at Hookeo Consulting Company whom Susie interviewed in our recent webinar, “The penalties are gigantic, the risks are huge. It would be considered fundamentally a gap in preparation if the CFO wasn’t actively and aggressively putting a governance structure in place.”

In terms of the supply chain risks, shared services leaders need to be concerned with:

• The financial stability of critical suppliers
• The risk of business disruption caused by supply chain events
• The potential bribery and corruption that might exist within the supply chain

While most professionals in purchase to pay are generally aware of the need to ensure critical suppliers are risk assessed, they should also be aware that governments around the world are taking an increased interest in managing risk on behalf of the corporations that reside within their territory, as well as their activities abroad. As Kohn said, “They have become assertive and aggressive and the fines have been huge. They have started to put people in jail.” 

The UK Bribery Act, The Foreign Corrupt Practices Act, child labor laws, and conflict metal laws are just some of the laws that have impacted major companies. If you think this couldn’t happen to you, here is a glimpse of some of the recent top fines and damages companies have faced through insufficient supply chain management:
 

• Smith and Wesson executives were arrested at a trade show after the FBI set up a sting operation to catch violators of the Foreign and Corrupt Practices Act
• Toyota fell from being the world’s number one automaker after its supply chain was badly affected by natural disasters
• Siemens was ordered to pay $1.6bn to settle bribery cases in 2008 by the US Securities and Exchange Commission
• In 2009 KBR, Halliburton were fined $579m to resolve US criminal and regulatory charges after facing bribery charges in Nigeria
• BAE Systems were fined $400m for failure to comply with the Foreign Corrupt Practices Act in 2010
• In 2010 Daimler also agreed to pay $185m after admitting guilt in a US corruption case
• The US Department of Justice fined Technip, a French company, $338m in 2010 for bribery charges in Nigeria

Not only are the fines and the hits to reputation tough, but Kohn said that in some cases the bad press and uncertainty has led to share prices falling 25% overnight in some cases.

What does compliance look like?

Kohn said that it’s common for companies to take a half-hearted approach to risk management. These types of approaches are generally reactive, based on suggestions from a third party or responding to a disruption in your supply chain.  However, this type of approach, generally isn’t good enough, he warned particularly if you need to monitor all of your overseas subsidiaries.

Good compliance programs remain fundamentally a process, Kohn says. To do it well you need to understand what good supplier risk management process looks like and understand the operational management of risk and regulatory risks. There has to be a very definitive process that is followed in terms of roles and responsibilities and job descriptions around supplier risk management.  Progressive organizations will examine their process and get a good understanding of their current approach to risk before implementing new processes supported by tools and a governance structure.

Which of your suppliers should you worry about?

It’s not just about assessing your top 50 or 100 suppliers, Kohn says, because very often you already know the details of this tranche of your suppliers and they have a vested interest in doing the right thing for you. The suppliers that generally pose the risks, he warns are usually outside the parent companies’ geography and the risk is magnified dramatically when in geographies where risk profiles are higher (Kohn named Africa, Latin America and Russia as areas that pose higher corruption risk). In these hotspots, the type of risk management you might expect be put in place isn’t always the cultural norm. In these regions you can’t just rely on the country managers to manage the risk.

Kohn says there is a pretty well defined approach that, over time, has proven to be the best approach for addressing this whole supplier risk management activity. Here are some of his key tips:

1. List the risks. You should start with an assessment of the inventory of operational and regulatory risks associated with business.

2. Vet your suppliers. The UK Bribery Foreign and Corrupt Practices Act requires you to vet 100% of your suppliers before you spend a dollar with them. Kohn warns you need a very refined process where you typically look at a number of databases to assess whether suppliers or their employees have been indicted for criminal activities.

To assess your supplier risk, you need to build a tiered assessment of your global supply base down to the category. Have your suppliers been vetted against your list of operational and regulatory risks? Kohn recommends instead of vetting each organization individually, use a third party to go in and inform your organization on vendor resiliency, information security breach potential, financial risks, conflicts of interest, legal or regularity missteps  on corporate or officer level –so that you can quickly decide if you have risky suppliers that require further information.

3. Act on your intelligence. What emerges from these exercises is a few different categories of company types. A large list of companies with no issues, some bad suppliers that you will need to exit from, and medium-size lists of companies that require further investigation.

The role of your shared service organization

The shared services center has an essential role to play in supplier risk management.  When shared service centers aren’t involved, this generally indicates a weak approach to supplier risk management. Finance shared service organizations play a crucial role in managing supplier risk in a few important ways.  Shared service centers generally manage the purchase orders, manage master data and process the invoices. These pieces of information generally have all the data you need to build a risk profile. Access to this data makes the shared service organization a natural fit to support supplier risk management.

Kohn says that supplier risk management is a process. It’s not just a strategy or a set of published policies and procedures on your website; it’s actively managing supplier risk. You have to be able to assess current activities, vet your suppliers, and have the metrics and governance guidelines in practice. You need to design a plan, implement it then monitor success.
 

For more information watch the webinar 'On a scale of 1 to 10, how large is the risk in your supply chain?'.