supplier risk management framework

Hans van Eck-Casteels // +1.416.931.5241 // [email protected]

Supplier / Supply Risk

Corporate Services

May, 2013


Supplier / Supply Risk management overview

Vendor Financial

Performance

Vendor Quality of Services

the corporation Reputation and

Brand

Viability

Quality Regulatory Complaince

Delivery

Customer Service

Innovation

Safety

Org

aniz

ation

VEN

DO

RS


Vendor Relationship Risk Management – what if?

• What would the impact be to the corporation if a strategic / critical vendor failed?

• How confident are we that one or more of our critical vendors are not in financial difficulty? • How would our stakeholders react to the failure of a critical vendor

• What would the impact be to the corporation’s reputation if one of our vendors causes a major security breach? • How do we effectively assess and monitor current and potential vendors’ financial and operational health? • What actions would we take if a vendor were to face difficulties, or causes difficulties for / to the corporation?


Vendor Relationship Risk Management – today’s realities

As the economic climate continues to stagnate or deteriorate, the corporation should be concerned about the viability of our critical or strategic vendors The impact of vendor failure could prove to be significant, including:

Disruption of service and product delivery Reputational damage Business continuity Loss of revenue Threat to competitive advantage Significant use of management time sourcing alternative vendors Potential business failure

Supplier Risk Management maintains an up-to-date view of the operational and

financial position of strategic / critical vendors Vendor risk issues are increasingly board-level concerns due to the severe financial, operational and strategic consequences disruption can cause. This is coupled with greater regulatory scrutiny, who want confirmation that the corporation is robustly managing vendors to limit vendor risk


Vendor Relationship Risk Management – benefits

Through the supplier risk management program, the corporation will be responding faster to the increased volatility and pressures stemming from globalization, outsourcing, the current economic environment. The corporation Vendor Risk Management framework will:

Ensure or improve the continuity of services through early warning systems and enhanced vendor information

Proactively address critical concerns by facilitating better communication and relationships with vendors

Increase control over potential disruptions in our supply chain and increase our ability to proactively mitigate risk

Minimize or eliminate unplanned reactive costs such as finding alternative vendors at short notice

Embed the improved vendor risk management framework across all aspects of vendor / Sourcing and LOB activity

Provide stakeholders with reassurance about the control corporate services has over the risks in the supply chain


Performance

CAUSES (Categories of

Predictive Measures) DISRUPTION

EVENTS CONSEQUENCES (Impacts)

Human Resources

Supply Chain Disruption

Financial Health

Environmental

Relationship

Quality, Delivery, Service Problems

Supplier Union Strike, Ownership Change,

Workforce Disruption

Supplier Locked Tier II Stoppage

Supplier Bankruptcy (or financial distress)

Disasters (Weather, Earthquake, Terrorists)

Misalignment of Interests

Finished Goods Shipments Stopped

Locate and Ramp Up Back up Supplier

Emergency Buy and Shipments

Reputation

Market Share Loss

EFFECTS Revenue Losses

and Recovery Expenses

OTHER IMPACTS Foregone Income

Emergency Rework and

Rushed FG Shipments

Recall for Quality Issues

Sudden Loss of Supplier

Su

pp

lier A

ttrib

ute

s

Sit

uati

on

al

Facto

rs

Supplier Risk Model – Elements of Vendor Risk and Consequences of Failure


Supplier Risk Model – Vendor Risk Strategy

Input Techniques

Output

• Business Strategy • Sourcing Playbook • Value Drivers • Organization Process • Definition of Risk Management objectives • Determine risk appetite tolerance • Define vendor risk process • Perform Risk analysis on seven components: - Financial - Operational - Strategic - Environmental - Regulatory - Foreign Corrupt • Benchmark results • Alternatives

• Interviews • Questionnaires • IT Risk Management tools • Checklists • Assumption Analysis • SWOT templates • Modeling / Diagrams • Contingency response strategies

• Ranked risk profile • Vendor risk strategy • Vendor risk register • SLA / KPI / • Contract language • Vendor specific risk policies • Risk Governance • Tailored scorecards • Risk acceptance / sign off

Risk 4

Risk 1

Risk 2

Im

pact

Probability

L H

Risk 5

Risk 6

Risk 3

Specific vendor

management approach based on

segmentation and risk weighing

Scorecard

Onboarding


An Op Risk Management Framework

Objective is to reduce ultimate risk exposure by detecting, managing and mitigating the original risk levels

Supplier Risk Risk Objectives

Initial Risk Exposure

Up-front Protection

Activity

Mitigation Trigerred by

VRM Management

Target Level Of Strategic Vendor Risk

Exposure

Up-front Risk Identification: focus is on uncovering critical vulnerabilities and

segmenting these to determine appropriate Mitigation strategies

Up-front Risk Identification: focus is on mitigation triggered by VRM vendor risk

mitigation strategies and processes

The VRM / VMO will lower vendor risk exposure By effective and proactive identification and risk mitigation strategies and monitoring processes

The VRM / VMO organization has an opportunity to significanly reduce risk exposures


An Op Risk Management Framework

Vendor Risk

and Control

Self Assessments

(RCSA)

Strategy

Business Initiatives

Risk Measurement

Business

Continuity

Strategy

Vendor Risk Governance Vision, Guiding Principles, Risk Strategy, Risk Appetite,

Organization Structure, Risk Glossary

Key Risk

Indicators

(KRIs)

Vendor Risk Monitoring Vendor Risk Identification & Assessment

•Common Organizational

Hierarchy

•Common Risk Definitions

•Common Control Themes

•Key Process Focus

•Validating Components

Risk Reporting

Supplier Risk Model –Risk Management Process


For strategic vendors, an additional risk filtering process

Proposed

VRM Risk Filtering

Ris

k F

ilte

rs

Risk 1

3

1

2

1

2

3

Risks are filtered for identification and categorization

Risks are measured according to business impact and possibility of occurrence

Results of aggregate risk, measurement determine contract and vendor engagement model

Risk 4

Risk 1

Risk 2

Specific vendor

management approach based on

segmentation and risk weighing

Scorecard Vendor Segmentation

Im

pact

Probability

H L

L H

Risk 5

Risk 6

Risk 3

Change Mgmt

VRM Governance Processes

Strategic CommodityOperational

Performance

& ManagementFocus

Governance

& Control Focus

Problem Mgmt.

Change Mgmt.

Delivery Mgmt.

Risk Mgmt.

Financial Mgmt.

Contract Mgmt.

Relationship Mgmt.

High Risk

Change Mgmt

VRM Governance Processes

Strategic CommodityCommodityOperationalOperational

Performance

& ManagementFocus

Governance

& Control Focus

Problem Mgmt.

Change Mgmt.

Delivery Mgmt.

Risk Mgmt.

Financial Mgmt.

Contract Mgmt.

Relationship Mgmt.

High Risk

VRM Management Process

Risk 2 Risk 3 Risk 4 Risk 5 Risk 6

•Contract Renewal •Contract Extension

•New Contract

Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Environmental

Foreign Corrupt

Risk filtering VRM Risk Filtering

After segmentation Leading to tailored VRM processes – scorecards weighted to risk mitigation, specific onboarding activities and innovation management

Strategic

mandatory

Operational

Financial

Regulatory

operational

commodity

strategic

Onboarding

Segmentation Tool

Strategic vendors, specially selected Operational vendors and all ITO/BPO will be additionally risk profiled and rank profiled

Tailored Processes

After filtering, scores will be matrixed,…


Supplier Risk Model – Vendor Risk Categories

VRM Risk Filtering

Reputation impact

Assesses Transition Risk while onboarding a new service provider. These risks may include poorly defined/ Documented processes being transferred, lack of co-operation from the terminating service provider, the need to transfer institutional memory and transfer knowledge, loss of knowledgeable Company staff during transition,

The overall financial stability of the service provider is assessed by a Financial Stability analysis. This helps to determine whether the service provider will remain solvent, invest in technology and new services to maintain competitive and has the financial resources to provide services at the desired services levels for the duration of the contract.

Ris

k F

ilte

rs

Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6

Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Environmental

Foreign Corrupt

Strategic

Operational

Financial

Regulatory

“Green”, Recycling, Environmental impact

Regul;atory compliance assessment helps to determine the compliance with regulatory edicts and events that will disrupt services that are delivered by the service provider Risk 4

Risk 1

Risk 2

Im

pact

Probability

H L

L H

Risk 5

Risk 6

Risk 3

Establish the context

Identify Risks

Analyze Risks

Plan for Risks

Segment risk

Control


Risk Measurement

Risk Assessment

Risk Mitigation

Risk Monitoring

Stage 1:

QUALITATIVE

ASSESSMENT

Identification, Prioritization and Assessment of Vendor

Risk

Stage 2:

RISK MONITORING

Monitoring of Risk and Process Indicators to Track

Operational Risk Level, Modify Risk Profile and Improve

Business Processes

Risk Identification

Risk Assessment

Risk Mitigation

Risk Monitoring

Risk Identification

Risk Assessment

Risk Mitigation

Stage 3:

QUANTITATIVE VALIDATION

Identification and Measurement of Operational Risk Events, including

Near Misses

Supplier Risk Model –Risk Management Process

Contract Life Cycle

Risk Identification

Ris

k Fi

lter

s


Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Environmental

Foreign Corrupt

Strategic

Operational

Financial

RegulatoryRis

k Fi

lter

s


Risk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Environmental

Foreign Corrupt

Strategic

Operational

Financial

Regulatory


Supplier Risk Model –Risk Response

Awareness Prevention Remediation Knowledge

• Probability and Impact • Recognition of effects of risk on: - service levels - brand and reputation - service levels - consumer perception - vendor viability • Awareness on internal, external and regulatory environment

• Goal is to recognize, reduce or mitigate the likelihood of service disruptions, brand and reputation tarnishment and comply with regulatory issues • Key processes include: - risk assessment - risk identification - risk segmentation - risk management - risk monitoring - change management - scorecarding - onboarding

• Goal is to identify procedures for managing 4 stages of disruption - interruption - response - recovery - restoration of service • minimize or eliminate impact on: - services - brand - reputation - business impact - time - cost / revenue - resources • Determine most appropriate focus level

• Goal is to learn from experience and to hold vendors accountable for the consequences of their actions • Modify standard procedures resultant from lessons learned • Establish a basis of vendor interaction • Formalized activity

•


Supplier Risk Model – Stakeholder Risk Change Management

Input • Detect disruptions and estimate impact on service performance Process • Identify and categorize disruptions • Record risk in risk database • Update scorecard • Liaise with LOB

Output • Scorecard • SLA alignment • Root Cause Analysis • Change management • Issue closure document

Capture

Input • Communicate disruption impact Process • VRM identifies disruption • Distribute reports and documents from “capture” to “closure” • LOB / Vendor / VRM meetings • If process change, document

Output • Review action points • Follow up

Input • Review immediate causes and identify root cause • LOB / vendor / VRM Process • Identify alternative solutions • Select best alternative • Delegate assignment

Output • Scorecard • SLA alignment • Discount capture • Root Cause Analysis • Change management • Issue closure document

Communicate Collaborate

supplier risk management framework

Business

risk appetitetolerance

risk identification

ultimate risk exposure

hans van eckcasteels

vendor riskprocess

impact of vendor failure

financial operational

consequences of failure