Global Risk Mitigation: Using risk assessment tools to evaluate global suppliers

Risk management has been among the top priorities on board agendas and in procurement departments for many years, yet companies found themselves unprepared for the pandemic-driven increase in supplier risks and the resulting supply chain disruptions.

As suppliers shut down across China and other global locations, it became increasingly more difficult—or impossible—to keep inbound products and parts flowing. As a result, many suppliers went bankrupt, or couldn’t maintain deliveries.

The pandemic has been a global supply chain wake-up call. Companies that experienced shortages and inconsistent, often delayed, shipments of critical goods wondered how they missed the risk involved with their supply chains.

Personal protective equipment (PPE) was in short supply around the world. Toys and decorations were delayed beyond the holiday season. Consumers couldn’t get anti-bacterial wipes, hand sanitizer, or face masks. In addition to paying severe import penalties, machine shops couldn’t get the metal forgings they needed. And now that the worst of it seems to be over, it’s time to take action to mitigate any future risk of supply chain disruptions.

There are several steps companies can take to mitigate risk. Most importantly, careful planning for monitoring suppliers is critical. Developing a tool or using an existing software tool for assessing risk will help identify the weak links in your supply chain.

But a tool alone is not enough—it must be carefully and thoughtfully designed, implemented, and aligned with corporate goals. Coupling the data tools with an ongoing effort to oversee and manage your supply chain is now essential.

Walk before you run

There are many outstanding software monitoring tools and ERP reports available in the marketplace. If these tools are implemented without thoughtful planning, they will produce data, but not actionable information.

Just how effective these systems are is questionable if you haven’t determined clearly thought-out goals and aligned these with your corporate goals. If you haven’t thought through how you plan to use the data produced by these systems, then their effectiveness may be minimal. It’s important to clearly define and document these goals as a first step.

Keep in mind that a risk assessment tool is much more than supplier performance monitoring. The pandemic demonstrated that risk assessment goes beyond reporting on-time shipments, billing accuracy, and product quality. Determining supplier risk must also include the geopolitical situation, environmental risk, financial risk, intellectual property risk, technology risk, among others.

Technology should always be an enabler of strategy and processes. However, today’s software solutions often include examples of industry best practices that you may learn from or adopt as better than your current processes. Always consider industry standards and best practices as part of your tool development.

Alignment with corporate goals: A top-down approach

One mistake supply chain professionals repeatedly make is to ignore the alignment of supply chain goals with the corporate goals identified by executive management.

If what you’re measuring and implementing does not support your corporation’s current goals, then why are you measuring or implementing it? Every function within an organization should be working to support the corporate goals defined by company executives.

Starting with corporate goals such as customer service, sustainability, and profitability, determine how the supplier’s performance should align with these goals. For example, supplier on-time delivery most likely aligns with your corporate goal of on-time order fulfillment for customers.

On-time deliveries are also critical to the company’s production schedule—another alignment path. If you can’t make the connection between a supplier performance attribute and your corporate goals, then you are measuring the wrong things.

Determine which suppliers are most critical

The best approach is to segment suppliers into multiple categories. The most critical suppliers such as those with long-lead times, sole-source suppliers, and essential-parts suppliers are the most susceptible to risk for your company and need to be intensely monitored for any signs of disruption or distress.

If suppliers are in troubled geopolitical regions of the world or are subject to natural disasters, climate change, or other issues, they should be placed at the top of the monitoring process and checked regularly. The next group should include suppliers that are less risky, but still critical to supply chain operations.

The pandemic demonstrated that risk assessment goes beyond reporting on-time shipments, billing accuracy, and product quality. Determining supplier risk must also include the geopolitical situation, environmental risk, financial risk, intellectual property risk, and technology risk.

If you apply the 80-20 rule, the critical suppliers with the most risk to the company are in the top 20%. The remainder of your suppliers are somewhat less risky because of their location, the commodity, or because there are multiple sources for these supplies.

Some suppliers may not need monitoring at all. Any supplier that supplies readily-available commodity parts might not be included in intensive monitoring, freeing up time and focus for the more critical suppliers.

How far should you go?

Monitoring Tier 1 suppliers may not be enough, particularly with critical parts and sole-source suppliers. For critical parts, companies need to understand that the entire supply chain—your supplier’s suppliers—go two or three levels down.

Suppose, for example, your company buys semiconductors that become components in your product from a Tier 1 supplier. Production parts for manufacturing those semiconductors come from Tier 2 and Tier 3 suppliers.

The war on Ukraine has stopped the production of Ukrainian neon gas—a critical component in semiconductor manufacturing, putting your Tier 2 supplier at risk of delivering. Thus, understanding the risks of Tier 1, 2, and 3 suppliers of critical parts is important in your evaluation.

Knowing these risks may prompt industrial buyers to find alternate sources or to increase inventory levels to avoid stock-outs, proving that knowing the entire supply chain is now more essential than ever.

Define what risks should be monitored

Risk assessment in on-time performance and quality is the most basic monitoring approach. Using existing ERP or other software, companies can capture on-time delivery information, order completeness, and quality test results.

This information is often used with a green-yellow-red scoring approach and performance is reported and discussed with suppliers. All suppliers should be monitored on these basic elements. In conjunction with the basic performance reporting, a corrective action plan should be put in place to assist the supplier to make improvements where they have performance deficiencies.

Financial. Ask for assistance from your finance department to assess the riskiness of critical suppliers. Using public records posted by suppliers, you can evaluate financial health by calculating a few important financial ratios such as gross/net profit margin, debt-to-equity, accounts receivable ratio, and cash flow.

If the supplier company is not public, it’s customary to ask for these ratios. From quarter to quarter or year to year, monitor changes and trends in these ratios and watch for red flags emerging.

Technology risk. Over the past few years, companies’ systems have become more connected with the outside world via the Internet of Things (IoT) and sophisticated machinery that reports performance via the internet.

It’s also likely that payment systems are electronic, as are forecasts and demand triggers. Each time a company’s systems are connected via the internet to the outside world, a risk for cybercrime is created.

To assess risk in this area, the company’s IT security staff should be engaged to determine the level of acceptable risk and document any particular vulnerabilities with suppliers that have systems connections with your company, either directly or via the internet. Cyber risk is a growing threat that must be anticipated and managed.

Beyond cyber risk, technology now plays a critical role in most companies. Understanding what systems your suppliers are running, how they are maintained and upgraded, and what backup systems are in place at these suppliers are important risk considerations.

Country and geopolitical risk. If your suppliers are located in a part of the world subject to geopolitical or country risk, the situation must be closely monitored. Government shutdowns of manufacturing plants in China over the past few years are one example of unexpected risk.

As mentioned above, the war in Ukraine halted the production of neon gasses that now affects semiconductor production around the world. Sometimes these risks are unpredictable, but being aware of geopolitical and country risks can help companies make better choices about where to source goods and why having suppliers in different regions may be the best strategy.

A new class of risk-monitoring software is available that uses artificial intelligence (AI) to comb world news publications to capture worker disruptions, natural disasters, and other events. This software provides early warning signals about vulnerable suppliers.

Part of determining country and geopolitical risk should include the risk of climate change in low-lying seacoast areas like Florida, wildfire risk in California, and tornadoes and flooding in the central U.S. Human rights issues should also be included with greater emphasis being placed on these issues by customers and boards of directors.

To evaluate these risks, the U.S. Department of State, the U.S. Department of Commerce, and the U.S. Chamber of Commerce-International Division, all have helpful websites with pertinent information.

Define how to communicate and take action

The final piece to a risk evaluation tool is to decide how to maintain it and communicate when supplier risk raises a red flag. Supply chains are not static and neither should be the supply chain monitoring tools.

A cross-functional team including procurement, supplier quality, finance, and IT security will provide the best results in addressing global supplier risk and developing assessment tools…But even with the best software and data analysis, there is still a need to actively manage your global and domestic suppliers through regular site visits and communications with suppliers.

The measurement categories you collect should be refreshed every 6 months to 12 months and adjusted to reflect changing business conditions and corporate goals. What you measure and monitor must be kept fresh and reflective of the business environment.

When supplier risk reaches an unacceptably high level, you’ll need a way of communicating this to all of your stakeholders. For example, if a supplier’s financial situation changes and this is reported in its 10K or Annual Report, procurement should be instructed to proceed with caution. If the supplier of a critical part is going bankrupt, this information must be delivered to all relevant stakeholders.

Increasing quality issues or frequently missed delivery dates may be triggers for visiting a supplier or calling for a performance meeting, In extreme cases, you may want to terminate a supplier. Whatever action you decide to take, early warning is essential for your manufacturing organization and other stakeholders.

The company’s executives may want to warn customers about late orders due to parts shortages. For example, when semiconductors became a shortage issue during the pandemic, automotive companies had to warn customers that their new cars would be delayed.

There are many aspects of risk to consider when developing a risk assessment tool that is suited to your business. Leveraging data that is available from your current systems or implementing something new should always start with the understanding and alignment with corporate goals, then determining what risks are most important for your business.

A cross-functional team including procurement, supplier quality, finance, and IT security will provide the best results in addressing global supplier risk and developing assessment tools. But even with the best software and data analysis, there is still a need to actively manage your global and domestic suppliers through regular site visits and communications with suppliers.