In a complex modern-day global supply chain, how can companies assess which suppliers present the highest level of risk to business continuity? And how can they begin to implement effective risk-management programs based on end-to-end visibility? In this conversation with SupplyChainBrain Editor-in-Chief Bob Bowman, Corinne Goldberg, manager with Deloitte, offers some advice on the way forward.

SCB: What risk does an organization's supply chain today present to its operations?

Goldberg: Both large and small global organizations can have hundreds or even thousands of suppliers that provide services. For that reason, their supply chains can be complex and fragmented. Oftentimes there’s little visibility into the robust nature of their control environment — and more importantly, the degree to which they're operating in line with fair and ethical business practices, as well as being in regulatory compliance. An organization's supply-chain partners can expose it to service disruption, financial and reputational risk, bribery, corruption and money laundering, as well as service-level agreement [SLA] breaches. All of which ultimately impacts the continuity of service provided to customers. It's important that organizations have visibility over how their supply chains are operating, so that they can control their environment and effectively mitigate risk.

SCB: Visibility needs to extend beyond the first tier of suppliers, does it not?

Goldberg: An organization can have a list of tier-one critical suppliers as well as non-critical ones, and the extended enterprise can be vast and complex. A small event upstream can have a large material impact on continuity of service.

SCB: Conversations about supply-chain risk today mostly focus on suppliers. But there are other external risks to consider as well, such as the vagaries of international trade policy, natural disasters, and general economic trends. Should those things also be on our radar for purposes of this discussion?

Goldberg: Absolutely. Economic uncertainty, geopolitical risk and environmental catastrophes makes it all the more important for organizations to have visibility over their supply chains, especially when it comes to partners that operate in certain geographic or economic climates. Those external factors are certainly the driving forces behind why an organization should endeavor to maintain a robust approach to managing risk along its supply chain.

SCB: Where in the supply chain does visibility most often fail?

Goldberg: Because of the nature of operational, reputational, strategic and financial risks that various types of business partners pose, there's a variety of risks both upstream and downstream that an organization should mitigate for. It depends on the industry one is looking at. In the pharmaceutical industry, for example, you might have product-quality issues, or a lack of transparency in the way that marketing activities are performed by supply-chain partners. There are a variety of risks that partners can pose to an organization, so having visibility over the entire end-to-end supply chain is important, both upstream and downstream.

SCB: What measures can organizations take to make their supply chains more resilient?

Goldberg: One of the most important measures that an organization can take is implementing a due diligence program that enables an accurate assessment of the risk profile of suppliers, both during re-contracting and the end-life contract phase. Ongoing monitoring is particularly important, to address any gaps that might be identified in the supply chain. Also developing accountability ownership over tasks with respect to remediating those control gaps.

Along that same line, using a proactive risk intelligence tool to ensure that risks are detected in real time, and addressed in their order of criticality, is quite important. Tools that detect adverse media reports in the public domain can be effective in providing a supplementary mechanism for detecting risk and proactively mitigating it in the future.

SCB: You’re suggesting that companies need to go well beyond just getting data and reporting from the suppliers themselves — that access to external data is important as well.

Goldberg: Exactly. Many organizations undergo due diligence with supply-chain partners through risk assessments, which provide a point-in-time view of risk. But they aren’t as effective in detecting real-time risks that are impacting the supply-chain partner. That limitation creates a need for organizations to adopt technology that leverages artificial intelligence or machine learning to detect adverse media, then proactively develop mitigation plans in real time to address those risks before they become deeper.

SCB: Do you advocate diversifying the supplier base, avoiding single sourcing wherever possible, even if that strategy raises supplier costs?

Goldberg: It depends on the type of organization, and the nature of the goods or services being produced. But I would say diversification of a supply chain is important not only to mitigate risk, but also to drive innovation by exposing an organization to new markets and alternative ways of working. Diversification enables an organization to leverage economies of scale, and drive cost reductions through outsourcing and leveraging alternative providers. It also enables the business to facilitate growth by scaling operations in new geographies or untapped markets. Having a robust due diligence program for the entire supplier base is critical to ensuring that an organization can take full advantage of a large pool of suppliers, but also account for and mitigate risk.

SCB: The ability to monitor an end-to-end supply chain and influence supplier behavior requires that you assert a certain level of control over an entire network of vendors, distributors, and suppliers. How do you gain or regain that control in a complex international supply chain?

Goldberg: There are many different tools and mechanisms to build a robust due diligence program, and ensure that an organization has control over its supply-chain partners. But a massive investment might not be necessary. Creating a program that segments activities in order of criticality is effective in ensuring that resources are directed to mitigating the impact of supply-chain partners that pose the highest risk. Rather than investing in due diligence for lower-risk partners whose activities might not derive a large amount of value. That's probably first and foremost.