A complete step-by-step guide on how to assess supplier risk

November 16, 2021

Supply chains are a complex thing. Modern supply chains stretch around the globe, but the capability of offshoring to gain a competitive advantage also brings an elevated level of risk.

In the past decade, we've seen natural disasters, cybersecurity problems, data breaches, bankruptcies, and, of course, a pandemic prove highly disruptive to global supply chains. 

Yet, while we cannot foresee or predict specific events, businesses can, and should, have robust risk mitigation and regulatory practices in place so they can manage risks in real-time. For example, if you accept that natural disasters will happen and that such an event may lead to a shortage in raw materials and extended lead times, you can have plans in place to minimise these potential risks.

The supply chain management process has never been more challenging. But at the same time, a little due diligence can go a long way to managing the risk factors that could disrupt your supply chain.

Why do businesses and public bodies find this a challenge, and what can you do to assess supplier risk and ensure that your supply base is robust and resilient?

Why is supplier risk management so challenging?

Despite having access to things like automation tools and software that make conducting audits and managing risk levels more straightforward than ever, global businesses still find risk management among their most significant challenges. Why?

Supply chains are complex.

Modern supply chains may have thousands of stakeholders that contribute to the production of a single product. For this reason, some businesses don't even have a risk management program or worry about supply chain transparency. Instead, they write it off because it's too hard to do!

Risk mitigation itself can be high-risk.

You need to conduct audits to identify and help you manage supplier risk, but what if certain risks represent a step into the unknown?

Say you identify supplier risks that you don't have the internal expertise to assist your suppliers in rectifying. You can't not track or acknowledge those risks, as that would leave your business open to accusations of negligence and potential legal action if things go wrong. Yet, because you lack the expertise, you need to rely on your suppliers to manage those risks effectively. In turn, mitigating these risks may be resource heavy and lead to you needing to help fund training or labour to ensure they're dealt with.

Ensure your business rises to the challenge, and don't turn a blind eye!

Data restrictions can slow down processes.

Even where businesses have built strong supplier relationships, suppliers may be reluctant to share data or grant access to systems. If you're looking to assess supplier financial risk but cannot gain access to vital documents, how else are you meant to measure their financial health?

Thankfully, you can address all these challenges if you have a robust risk management process.

What are the potential supplier risks that could cause supply chain disruption and other problems?

The complexity of modern sourcing and procurement means that supplier risks are more likely and that you may only be able to exercise a limited amount of control over them.

It's also essential to recognise and plan how supplier risks may impact your business outside of operational supply chain disruption.

What are the different types of risks you face?

  • Reputational risk. An issue at a supplier's factory or one of your downstream service providers suffering a cybersecurity breach may have nothing to do with you from a hands-on perspective. However, if it means you don't have stock on the shelves, it could still harm your reputation.

  • Resilience risk. As well as affecting your supply chain resilience, issues with suppliers may also directly impact your customer service delivery or product lifecycle.

  • Data security risks. Depending on the data your suppliers hold, third-party data breaches could lead to your business facing increased cybersecurity risks or being at risk of consumer action if customer data is affected.

  • Regulatory risks. One of the most significant complexities in modern supply chain management is that you have regulatory obligations not only where you're based but where your suppliers are based, too. Of course, you trust your suppliers to take care of this. But if they don't, it could be your business dealing with the consequences.

  • Commercial risks. This risk isn't just about your consumer revenue. Poor due diligence processes across your sourcing strategy can lead to cost overruns and inaccurate billing, both of which can harm the financial health of your business.

Discover how Serai can help you manage these risk through our Visibility Solution

Below are some of the most significant supplier risks your business may need to deal with. How many of these came up in your last supplier risk assessment?

Social, ethical and environmental risks to your supply chain

These risks all relate to transparency and supply chain sustainability:

  • Supplier negligence around health and safety
  • Suppliers using child labour
  • Suppliers following unethical practices
  • Suppliers having a considerable carbon footprint, using significant resources and generating vast waste

Financial risks to your supply chain

  • Exchange rate volatility
  • Raw material price fluctuations
  • Energy prices
  • Billing inaccuracies
  • Competition
  • Increasing labour costs
  • Penalties, fines, or lawsuits brought against you due to lack of compliance

Operational risks to your supply chain

  • Lack of, or inaccurate, demand planning
  • Quality standards and control issues
  • Security
  • Poorly written and managed contracts
  • Delivery performance and failure to meet lead times
  • Logistics issues

Strategic risks to your supply chain

  • Changes to legal and regulatory frameworks
  • Changes in consumer and market behaviour
  • Geopolitical issues
  • Intellectual property infringements by suppliers

Risks affecting supply chain continuity

  • Natural disasters
  • Supplier bankruptcies or other issues associated with poor financial health
  • Poor management of and internally within your service providers
  • Over-reliance on individuals or specific suppliers and delivery partners

How to conduct supplier risk assessments

When it comes to supplier risk management, the risks you face will broadly fall into two categories:

  • Risks you know about, and therefore that you can exercise some control over
  • Risks you don't know about, and therefore cannot exercise some control over

Thankfully, you don't need to be a hostage to fortune when it comes to unknown risks, and we'll explore how you can manage those later. The below process outlines how you can conduct supplier risk assessments where you're aware of the risks, control the level of risk, and work on actions to provide mitigation.

Develop a long-term risk assessment process

The most vital thing to realise with supplier risk management is that it isn't a "one and done" thing. For example, if you perform a supplier risk assessment on day one, then do no further audits for several years, you're leaving your business in a high-risk position.

Follow the below process to create a framework for completing risk assessments.

  1. Identify and document all known risks.

The most productive way to begin any risk assessment process is to map out the supply chains of all products or services you provide. The aim is to understand each node of your supply chain and the specific risks associated with them. Use our examples above as a checklist and detail how those specific risks apply to your supply chain.

For each supply chain your business relies upon, start to build a "risk register" so you know what you need to track. When identifying and documenting risks, note any aspects where risk is unknown or you have no data. You can flag these for further investigation to determine whether they're genuinely an unknown risk, or it's just a matter of your suppliers being more transparent.

  1. Create a supply chain risk management framework

Once you have created a risk register, you will need to create a supply chain risk management framework to apply when conducting your audits.

Your framework can be relatively straightforward, but you need to be consistent in assessing the risks to your supply chain and business operations. Consistency means you can prioritise actions by the level of risk and threat they pose to your business.

What your framework looks like and how you score it is up to you. An excellent way to keep your framework simple yet effective is to ask three questions about each risk:

  • What is the impact on your business if the risk materialises?
  • What is the likelihood of the risk occurring, and at what frequency?
  • How prepared are you to deal with the risk emerging?

Likewise, a simple approach to scoring might be something like:

  • Green - Level of risk is acceptable or managed adequately
  • Amber - Elevated level of risk but managed adequately, requires regular assessment
  • Red - Unacceptable level of risk, mitigation to be put in place within a specific timeframe

This approach covers all bases by not just allowing you to risk assess your suppliers but your business's resilience and preparedness to address any issues.

  1. Monitor risk

Once you have established your risk management framework and conducted initial audits, having a process for ongoing and persistent analysis is vital. Not only does continuous monitoring effectively act as an early warning system for potential issues in your supply chain, but it can also improve your supplier relationships as you know where to place your mitigation efforts.

The emergence of digital supply chain visibility software in recent years means that measuring and monitoring risks is more straightforward than ever. For example, using our visibility tool, you can quickly identify and watch all the potential risks present in your supply chain. Furthermore, you can customise the metrics you're looking at and measuring to suit your needs and risk tolerance and get updates in real-time. The latter can be especially effective if you're monitoring fast-changing elements such as the weather, and a hurricane or typhoon is potentially going to disrupt operations at a supplier's factory, for example.

  1. Work with your suppliers to implement governance and review procedures.

As well as monitoring risks on an ongoing basis, it is also best practice to ensure you have a governance mechanism in place to help you review supply chain risks. For example, geopolitical events or evolving situations like climate change might pose a different level of risk three years from when you first set up your risk assessment process. As such, the way you monitor and measure specific risks may need to change.

An intelligent approach to supply chain governance is for your business to have internal "champions" who manage each node of your supply chain. Each individual would then work with your suppliers to provide ongoing support and follow up when risk levels change, or mitigation is needed.

Within your business, create a "governance board" comprising all the individuals responsible for different nodes of your supply chain. Your governance board can meet periodically to review the risk ratings associated with your supply chain and update your business's risk profile and outlook. These actions would then feed into your procurement and sourcing teams, who will always have the latest standards from which they can develop questionnaires and other materials for onboarding potential new suppliers and vendors.

How can you manage risks you don't know about?

A risk being invisible or not yet apparent isn't an excuse to be unprepared for it. Granted, you cannot possibly prepare your business for every potential scenario in granular detail. However, you still need to be ready to react to previously unforeseen risks when they rear their head.

Remember, once you know about these risks, you can go through your risk assessment process as outlined above and ensure you're measuring them moving forward. However, having a plan for managing unknown risks will minimise short-term disruption and give you a competitive advantage over businesses that lack your level of preparedness.

Here are two vital steps that will help you.

Building resilient supply chains

While a resilient supply chain can deal with known risks, doing the work to build supply chain resilience will, by nature, ensure that you're in a solid position to deal with any new or previously unknown risks as quickly as possible.

When creating business continuity plans around your suppliers and supply chain operations, consider how actionable they would be in the face of an as yet unidentified risk. Ideally, the short-term mitigation actions you take will be transferable across different types of risk and scenarios, making it easy for you to train your teams on what to do in the event of disruptions.

Creating a risk-aware culture in your procurement and sourcing teams

Having a risk-aware culture across your business will help you deliver excellence in your supplier risk assessments and help your supplier relationships. Strong supplier relationships mean better outcomes for you and them - you get the results you want while the supplier becomes an attractive partner for other businesses.

The keys to developing and living a risk-aware culture are:

  • Empowerment to acknowledge things that go wrong. Openness around mistakes or poor performance should be encouraged so that your teams can work together to resolve any issues. This isn't about apportioning blame but recognising that you can make things better.

  • Being transparent around risk tolerance. You can't be on top of every risk at all times. Indeed, some risks are so negligible that you might never think about them. By being transparent about the most severe risks, you'll be in a better position to react when new ones appear.

  • Be ready to respond to change. Changes to regulatory frameworks in another country where your suppliers are based can quickly change the risk landscape of your supply chain and bring new risks to the table. By having teams ready to respond to change by quickly identifying new threats, you'll promptly mitigate these and minimise potential disruption.

Should I assess and manage vendor risk in the same manner as supplier risk?

Yes, although you should find that assessing vendor risk is more manageable if your vendors have a robust supplier risk assessment process in place themselves. Rather than conducting a full risk assessment on vendors as if they were suppliers, you can check that your vendors have a similarly robust risk assessment process to you and ask to see the data.

Remember that the same risks will be present as if your vendor was a supplier, so you may need to consider who your alternative vendor or vendors are if the one in question cannot fulfil orders, for example.

Robust risk assessments mean better supply chain risk management.

If you have a robust risk assessment process and supply chain management framework, you will see better outcomes across procurement and sourcing operations, which in turn will filter through your entire business.

On top of this, better supply chain risk management processes will give your business a competitive advantage against those companies that haven't conducted audits and planned to the same level as you. So while they're suffering stock shortages because of a natural disaster in South America, for example, you have pivoted to a supplier in Asia that was on standby for such an event.

Discover how we can help you better assess and mitigate risk and manage all aspects of your supply chain

Learn more