A common risk management mistake is waiting for the worst to happen before taking decisive action. Understanding that things will go wrong – it’s not a question of ‘if’ but ‘when’ – sets a sturdy foundation for your risk strategy.

In many cases, it is only after an incident that organisations assess their risk processes. Procurement chiefs who wait until disruption impacts their supply chain could find their organisation pays a heavy price given the volatile, uncertain and interconnected nature of modern threats. The Risk planning guide 2020 research shows that 96% of CPOs surveyed experienced an unexpected supply chain disruption over the past 12 months.

Despite advances in support capabilities, most procurement functions’ risk management practices continue to be reactive. A proactive approach is needed to meet emerging cybersecurity threats and global trade uncertainties, as well as health, safety and environmental risks.

What gets measured gets managed

One of the first challenges procurement functions have is finding the right metrics by which to assess suppliers’ risk profiles. Some roundtable participants said the following basics can be a struggle:

• Defining their organisation’s risks.
• Measuring the likelihood and effect of these risks along extended and complex supply chains.
• Systemising risk management processes.

Functions that have developed appropriate risk management report noticeable benefits, from service performance improvement and timely risk mitigation intervention to better-informed decision-making and greater stakeholder satisfaction.

Members also discuss ways procurement teams can use metrics to assess the health of their suppliers. To best realise this, members offered the following advice:

• Adopt a cross-functional approach, bringing in different teams with varying perspectives to define risks and the metrics to track them.
• Use legislation to build a list of criteria for suppliers to abide by.
• Tap into publicly available business information or contract business intelligence companies to run credit checks on your behalf.
• Embed a code of conduct throughout the supply chain that includes considerations around sustainable practices or even cyber resilience. Monitor compliance through regular site visits or third-party audits.

Getting basics right means sophisticated thought

Building a risk assessment methodology is difficult, particularly for buyer organisations with long and complex supply chains. But in a business world marred by volatility and uncertainty, risk management cannot be left unattended.

The outbreak of coronavirus has shown the threat posed to businesses by single-supplier dependency. First, map the supply chain to find those critical links and, where they exist, look for alternative suppliers.

The process may seem long and laborious but it is necessary. Focusing first on a handful of strategic suppliers is a good place to start; tap into those relationships to build and recalibrate your risk management framework, which can later be extended to the rest of the supply chain.

To preempt risk, lessons from past incidents should be learned and fed into the approach. This will help reinforce processes and develop pattern identification, which could be achieved with automation technology.