According to a new report by A.T. Kearney and Rapid Ratings International, risk management has declined as a priority within procurement organizations. Companies are finding it tough to maintain the proper level of diligence, especially when it comes to monitoring key suppliers. Yet those procurement departments that are able to effectively identify, diagnose and resolve supplier issues are in the best position to manage and minimize risk. In this conversation, excerpted from an episode of The SupplyChainBrain Podcast, we get some best practices for managing supplier risk from Rose Kelly-Falls, senior vice president of Rapid Ratings, and Carrie Ericson, vice president with A.T. Kearney Procurement and Analytic Solutions.

Q: Tell us about the study of procurement professionals that A.T. Kearney and Rapid Ratings have collaborated on, looking at risks in extended supply chains. How did you put it together?

Kelly-Falls: Carrie and I started collaborating on the study about six months ago, trying to figure out what the message was, and what we wanted to elaborate on. We were taking some recent studies, along with information that Rapid Ratings had recently pulled together. What we wanted to focus on from a Rapid Ratings perspective was to show companies the importance of the financial health aspect when it comes to risk management. Even more importantly, we've included private company information in the study. It's the first time we’ve ever done this. We've broken it down in three ways: by country, supply market and industry.

Q: Where do you get the private company information?

Kelly-Falls: That's what Rapid Ratings has been focusing on over the last several years – gathering private company financial information on behalf of our clients. We do that through a solicitation service. We have a database of private company financials. We're reaching out to our clients' suppliers, and requesting the information, all under full disclosure of our intentions. They've been very cooperative, and we've been successful in building the information, so that we can share it across these different markets.

Q: What has been your recent experience with A.T. Kearney clients, in terms of their awareness of the importance of risk management, and the grasp – or lack of it – that they have around this topic?

Ericson: Our clients are very savvy when it comes to risk management. It's something that's been on their radar screens for 20-plus years. We do benchmarking with procurement organizations globally. We've been running an Assessment of Excellence in Procurement Benchmarking survey since 1993, in which we survey over 600 global companies to identify leadership practices in procurement. I can tell you that since the early '90s, risk has been top of mind for supply leaders in terms of an issue that they're trying to grapple with. The challenge or the disconnect that we see, and which is what got Rose and I talking, is that there's oftentimes not very much done about it. Folks are very conscious of risk; they understand it's out there, but they typically lack the bandwidth or capabilities to go after and solve that problem. It's very complex – it’s not just one facet of risk, but it's all the different components, from financial to supply-chain shortages to brand impacts. Because it's so complicated, and because it's such a huge investment to go after, it's something that often gets left on the back burner. People are just taking the chance that it's not going to happen to them.

Q: The title of your report is "Is Your Luck Running Out? Managing Supply Risk in Uncertain Times." The implication is if you haven't had a disaster in your supply chain to this point, you're just lucky. Is that what you're saying?

Ericson: I do think so. Admittedly, people are not doing nothing. They have systems where they try to track risk. They assess suppliers before doing business with them. But just look at the latest product recall from Takata, which involved 70 million airbags. When is that type of an issue going to occur in your enterprise? Have you identified that type of major supply recall as a potential for your company? And if you have, do you have a contingency plan in place? Have you done scenario analysis, so that you can react very quickly? The Takata issue is a great example, because it's a leading airbag supplier doing business with multiple OEMs. [If it fails,] where's the next vendor that you can go to? Whoever has the best and fastest backup plan is likely to ensure the most mitigated impact to their supply chain.

Q: Rose, is that your observation as well, that companies truly have this issue as top of mind?

Kelly-Falls: I would agree with Carrie completely. That's what the crux of this report is about – trying to bring it back to the surface. By chance you may have been lucky, but here’s some information showing that you may not be so lucky going into the future. One of the things we tried to focus on in this paper is the impact on global supply markets, looking at it more broadly and across many different industries.

Q: How are companies doing in terms of approaching risk management from a multi-tier basis? Do they have visibility of those supplier tiers?

Kelly-Falls: The short answer is no. It just complicates things as you continue going down through the supply chain. Companies are struggling with how to get their arms around that. They're better at dealing with Tier 1 suppliers because they have direct contracts with most of them. But when it gets to Tier 2 and 3, a lot of times those are their suppliers' suppliers, so they don't have that kind of visibility. And as it gets further down the supply chain, it just gets uglier.

Ericson: For the most part, the primary strategy that people are deploying is holding their Tier 1 suppliers accountable for managing the Tier 2s and 3s. Certainly if there's a Tier 2 or 3 supplier that has a specific piece of intellectual property, or unique manufacturing process or location, oftentimes the end customer has visibility into who that supplier is, because it's critical to the supply chain. There might be systems or programs in place to keep an eye on that company. But for the most part, it's a very small select number of suppliers that they track and manage, or even know, from a Tier 2 or 3 basis.

Q: You say this issue is top of mind with companies. And yet your report indicates that supply chain risk management has declined in priority. Why?

Ericson: It's like an insurance policy. Each of the supply-chain managers and procurement leaders has a set budget, capacity and number of programs. They've got a lot to manage and do these days. They're being held accountable for year-over-year cost savings, innovation, joint process improvement, a whole host of initiatives. There’s no glory in supply-risk management. Because if you've done your job really well and nothing happens, no one knows about it. So it's tough to free it up, in terms of both the budget and the manpower to go after it. You've got all these other metrics you're being held accountable for. It's a question of prioritization and challenge, in terms of how to fund these types of initiatives.

The other part about it is, when is enough enough? There are so many different levels of risk management you can go at, with increasing amounts of complexity and cost. Where do you stop? At some point you can get a bit obsessed with this, and it becomes a tricky ROI to justify. Finding the right level of investment is something people are trying to grapple with.

Q: Rose, what are companies telling you, in terms of why risk management might have declined in priority?

Kelly-Falls: Part of it is when [a supplier failure] doesn't happen, and you’'ve made an investment, obviously you're going to reduce that investment if you feel like you’re OK. However, I do think that the economy has a lot of influence. When things are going gangbusters, and suppliers and organizations are doing well, they have a tendency to refocus priority on something else. In the financial crisis of 2007, everything became very much risk-focused. They didn't know when a supplier was going to go belly-up, so they had to keep their eye on the ball. Now, we're seeing volatility across different supply markets and countries. Some businesses are focused on risk management, while others are saying, "We’ll worry about that later." It’s an interesting dynamic at this point.

Q: Would you say that the practice of risk management in companies today is essentially reactive or proactive?

Ericson: It's a mix. You've got your leaders in procurement and supply chain who have very proactive, robust programs in place. They're doing pretty well. It’s the vast swath of firms behind them that are trying to keep their heads above. That said, of those who are not necessarily leaders, but are working to improve their supply chains, about 52 percent say they've got a supply continuity plan in place that's yielding benefits. It's not all doom and gloom. But when we scratch the surface, and ask what are those specific strategies you have in place, that's where we see an opportunity to improve.

Q: What are the most common types of disruptions that companies have experienced recently, or ought to be looking out for in the future?

Kelly-Falls: Two come to mind. Financial disruption always seems to be the number-one area of concern. Also natural. Unfortunately, in those particular situations, a lot of times you don't see them coming. You can't necessarily plan for the event itself. That's where resilience or a continuity strategy becomes important. It's a matter of how quickly suppliers can get back up and running. Different types of disasters require different types of contingency plans. By the way, I'm also seeing volatility in the oil market. Who would have predicted that?

Q: Even with the possibility of a "Black Swan" event – which is rare but catastrophic – is it a human tendency to protect against the last thing that happened?

Ericson: If you look at physical and virtual supply chains for industries that are relying on service workers, and maybe some outsourcing, you see that supply-chain competencies have started to cluster. Different regions in the world have developed expertise in different capabilities. A lot of electronics suppliers in China and India are close to each other in terms of where manufacturing happens. In a natural disaster, when those supply chains get co-located, it impacts more of them. That's why natural disasters are having such a big impact. If you think about the SARS [severe acute respiratory syndrome] epidemic seven years ago, we need to look at all these potential issues to see if maybe we should be spreading our risk a little more geographically.

Q: One of the most important aspects of potential supply-chain disruptions is the financial health of suppliers. How has it come to the fore, and how do you incorporate it into your methodology?

Kelly-Falls: Our methodology is solely based on the financial health of companies. It speaks to the overall financial profile of an organization. At the basic level, it refers to the company’s risk of bankruptcy or default. That’s what we've tried to talk about in the paper across different areas. More importantly, financial health looks at a company's operational and structural efficiencies. In other words, is the company using working capital effectively? Does it have a manageable level of debt? Ultimately, what comes out of that is an FHR (Financial Health Rating), on a scale from zero to 100. We’ve tried to illustrate a lot of different ways of looking at financial health.

Q: Where do you get the information about a supplier's financial health? It is enough just to ask that supplier?

Kelly-Falls: It comes solely from the company itself, but we strive to validate the information by collecting more than one year's worth of data for that supplier. We're getting detailed health trend analysis from that company in its financial statements. It's taken from the balance sheet, the income statement and the statement of cash flow. It's a very in-depth analysis, using over 70 ratios to analyze every single company, public and private. Broad and deep is the way we like to look at the analysis.

Q: Let's talk solutions. How does A.T. Kearney advise its clients on three aspects of supply-chain risk management: identifying, diagnosing and resolving potential problems?

Ericson: First off, identification is data, data, data. It's all the points that Rose mentioned in terms of financial health: keeping track of that, having access to supplier contacts so that you can talk to them routinely, looking at on-time deliveries and the quality of what's coming in. It's triangulating all those components of data, as well as external reports about what's going on with the supplier. We get an overall scorecard to determine if there are challenges on the horizon. Of course you would have done a robust screening before you even started doing business with those suppliers, so hopefully they passed all the tests. Now we're more in maintenance mode.

Diagnosing a problem involves setting up filters in your data to highlight when the data elements go out of bounds, or when external events are coming in that you’ve already analyzed. So you can say, if the price of oil does this, I know it's going to impact my supplier in this other way. You're diagnosing what those various scenarios are that you've played out. That's not easy to do, but doing it ahead of time gives you a leg up, in terms of knowing when there may be a problem coming down the pike.

And then, resolve. Hopefully, these are suppliers with whom you have good, solid working relationships. So you can go in and very quickly start to triage. If that's not the case, your scenario analysis may have told you that you need a backup supplier. Having that option at the ready is an important part of the solution as well. There's no one quick answer. It's hard work – a lot of proactive planning, scenario analysis and ongoing maintenance in data analytics and relationship building.

Q: Rose, what best practices have you gleaned in working with companies?

Kelly-Falls: Having a solid strategy. Assessing and data gathering. Then using traditional methods of risk management, through mitigation, follow-up and ongoing monitoring processes. It's not a one-time assessment. It's something that has to be looked at throughout the entire relationship with the supplier, whether starting at the initial sourcing process, or for a partner with whom you've had a long-term relationship. You have to identify, analyze, prioritize and collaborate with the supplier. You should be planning for both short-term and long-term mitigation strategies, then implementing those strategies and monitoring them. I would consider it to be very cyclical.

Q: Do you think that the trend of risk management as a declining priority will turn itself around?

Ericson: Absolutely. We're rolling out our updated Assessment of Excellence in Procurement Benchmarking survey, which includes risk management as one of the many things to look at. That will be coming out in 2017. The unique aspect, and the way we were able to supercharge the analysis, was partnering with Rapid Ratings to get company, region and private-sector specific data. From Kearney's benchmarking survey, we could learn what people are telling us they're doing. Rapid Ratings can show how it's flowing through to the financial aspect. That's where we saw a big gap, and the opportunity for folks to dig in and do a little bit more.

Kelly-Falls: I think companies are getting more and more information. Suppliers aren’t holding their cards so close to the chest now. There's more disclosure, and companies are asking for it. It’s allowing supply-chain and procurement leaders to have more information. That's why I'm very hopeful that things will turn around. Just having the information available is a hurdle that we've overcome.

Resource Links:
Rapid Ratings International
A.T. Kearney