The coronavirus pandemic has exposed the fragilities inherent to many organisations’ supply chain strategies, with disruption and volatility being exacerbated by risk appetite positions that have often prioritised cost at the expense of resilience. Evaluation of organisational supply chain risk and resilience (SCRR) in light of the ongoing pandemic experience will likely be a focus for most leadership teams now or in the coming months, requiring consideration of a broad array of trade-offs and management practices. In particular, we believe the following five areas should be in scope for potential development focus:
Sourcing strategy / supply chain structure - enhancing resilience of the supply chain may now require a different approach to sourcing in terms of what is done in-house, onshore and nearshore vs. offshore. Scenario based analysis of trade-off impacts on cost, risk and resilience of changing this balance to reflect evolving customer and other stakeholder needs and sentiments should be performed to inform future sourcing strategy and supplier risk assessment criteria.
Supplier visibility across tiers - a common challenge to supply chain resilience is only having visibility of first-tier supplier dependencies, resulting in potentially significant threats to resilience being unknown / unmanaged. Building transparency of all key dependencies within critical product / service supply chains, collaborating with your suppliers to share data and harmonise contractual terms, and leveraging third party software as well as technology such as blockchain to support tier mapping and management, will provide a major boost to resilience in terms of optimised supplier footprints, stronger relationships and agile, data-driven risk management.
Scenario analysis and stress testing - in order to understand whether supply chains are resilient to a range of risk factors and stresses, as well as how changes to supply chain structures can affect risk profile, formal scenario analysis should be performed on a regular basis to inform structural / sourcing decisions and risk mitigation requirements. Evaluation of change factors in scenarios should also go beyond traditional external threats; for example, what effects would a digitalised supplier network have on resilience, what could up-skilling the procurement function with data scientists achieve etc.?
Supplier categorisation and risk assessment - supplier due diligence should consider a material supplier's own critical third-party dependencies and scrutinise their wider resilience and recovery capabilities. Risk assessment should also be extended to evaluate broader risk factors such as geographic concentrations, ease of substitution and cost of mitigation etc. rather than just, for example, financial health and operational performance. Outputs of this extended analysis can then be used to refine selection and mitigation strategy.
Ongoing risk monitoring - the internal and external data landscape should be leveraged with technology enablement (including developments in e.g. Artificial Intelligence (AI) and machine learning) to provide ongoing monitoring of risk indicators and signals. Monitoring should also go beyond a specific supplier level such as tracking city/country level factors in areas where critical partners are based to understand macro-level and systemic risk exposures that can compromise resilience. Sharing this data with your suppliers can also help foster better relationships and more coherent management of risk.
The pandemic has had profound effects on global supply chains, causing significant and prolonged disruption to physical production and shipment of goods due to closure of manufacturing facilities and logistics infrastructure, as well as impacting capacity and quality of supplied business services as a result of office closures and mass remote working.
Although lockdown conditions are being eased in many countries, the different stages of local infection rates as well as forecast and emerging second wave outbreaks will continue to challenge supply chain continuity and maintenance of operational capabilities, particularly for organisations with international footprints and dependencies.
A broad array of new, changed and correlated risks have emerged due to governmental and corporate responses to the pandemic. Of particular relevance to SCRR include the following:
Supplier performance continuity, financial stability and insolvency
Supply chain capacity and pricing
Supply and demand volatility / forecasting
Changing stakeholder sentiments and pressures
Contractual enforcement and liability
Cyber threat levels
Sourcing concentrations across supplier tiers
Wider geopolitical and macroeconomic risks, notably ongoing tensions between China and the US / neighbouring territories as well as Brexit, the effects of business and consumer confidence on economic recovery, and potential structural changes to work patterns will further exacerbate supply chain risk. These are in addition to other well recognised risk factors such as the increasing likelihood and severity of extreme weather / Natural Catastrophe events and reputational risk (stemming from e.g. supplier ethical behaviour) in a sensitive, connected world.
For many organisations, their approach to SCRR will need to develop to address this evolved risk landscape. As well as enhancements to third party due diligence, risk assessment and ongoing monitoring, fundamental strategic questions need to be considered on the structure of future global supply chains and how internal resources collaborate to ensure the organisation is resilient against extreme shocks.
There is a wide array of maturity in the practices adopted by organisations to manage supply chain risk, often influenced by an organisation’s sector, risk profile and size. For example, many large banks have for years maintained dedicated functions / teams focused on this area that support the business with third party selection and onboarding, including comprehensive risk assessment and due diligence, with ongoing risk and performance monitoring leveraging a range of technology enabled data feeds and audits. Across several sectors such as FMCG and Pharma, supply chain control towers have been developed by organisations who want to enhance their chain visibility and management with real-time data in a centralised, technology enabled hub; this empowers agile decision making to realise efficiencies and mitigate risks along the chain, improving performance and resilience.
However, even for mature operators, the pandemic is asking questions as to whether existing arrangements are still fit for purpose. Outlined below are five areas we believe could have significant effects on SCRR management, although we note this is an expansive area with many elements that could potentially benefit from revised approaches, including one of the most effective ways to mitigate risk – having good relationships with suppliers in the first place. We also note that, aside from select digital innovations and the associated upskilling of procurement and supply chain professionals, these are not really new ideas – I have personally been working with clients across these areas for nearly 20 years – but this may finally be the catalyst to crystallise their wider adoption and support by organisational leadership teams.
Sourcing strategy risk appetite
The impact of Covid-19, in addition to geopolitical tensions and growing nationalistic fervour in several countries, contribute an increasingly important dimension to the future design of organisations’ sourcing strategies and supply chain structures. For decades, China has served as the factory of the world but anti-China sentiment by consumers and governments is growing in a number of Western markets, with pressures to ‘buy domestic’ increasing. For many years there has also been a move away to new low-cost destinations, particularly in South East Asia, and some movement of supply back on-shore against this paradigm, albeit limited so far. But the maturity of Chinese manufacturing and logistics hubs and size of its own domestic market has and is likely to continue to temper this shift.
For many organisations, the pandemic has exposed supply chain fragilities due to such dependencies that have arisen over decades in the pursuit of cost-focused outsourcing and lean operational activities. Efficiency has historically trumped a focus on resiliency, but the benefits of resiliency, or rather the cost of not being resilient, have been painfully brought home for many organisations by this virus. A fresh look at sourcing strategy (and the objectives / KPIs of the procurement function) is therefore needed and this will likely require Board engagement and sign-off considering potential brand and political sensitives, as well as the fact supply chains underpin strategic execution.
A key question to frame evaluation is whether a new balance of insource / onshore / nearshore / offshore sourcing is required in the supplier portfolio, considering evolving stakeholder sentiment and expectations, cost implications and resiliency benefits, and over what timeframe any changes should be implemented with respect to organisational strategy. Also of note is how these trade-offs will be positioned and communicated to customers, investors, and regulators etc., with a backdrop of competing geopolitical pressures.
Supplier visibility across tiers
Robust and comprehensive management of risk requires understanding of supplier relationships and dependencies throughout the tiers of the chain to identify potential weak links. Without this, unknown and unmanaged vulnerabilities and risk concentrations could jeopardise business service continuity and risk mitigation e.g. a material supplier that has its own critical single source dependency, dual source arrangements that have a common upstream supplier, suppliers located in the same geographical region, subcontracting dependencies that underpin a supplier’s service provision etc.
Building this visibility will significantly improve supply chain risk management and also support agility in responding to crises, but it can require significant efforts to map (building a fully-functioning control tower for example can take years) and some suppliers may obviously be reluctant to disclose commercially sensitive information; agreeing common contractual terms and KPIs throughout an extended supply chain is a challenge that the UK Financial Services (FS) sector is currently grappling with in response to regulator focus on operational resilience.
Although not a panacea, a number of third-party software solutions exist to support development of digital supplier networks; these tools can also enable dynamic data insights to empower agile decision making and ongoing risk monitoring and response. The growth of blockchain (a digital ledger of transactions that is distributed across a computer network) will further provide options for digitally enabled visibility and transaction security. For many procurement and supply chain teams, the ability to exploit and leverage digital innovations will likely require additional training and qualifications as well as recruitment of new talent with expertise in areas such as data science.
Technology aside, for most organisations, having productive and partnerial relationships with their suppliers centred on mutually beneficial outcomes will be the key determinant in building transparency and aligned resilience capabilities.
Scenario analysis and stress testing
This should be a routine activity performed (and involving various stakeholders from across the organisation) to challenge supply chain resiliency, from both an overarching perspective and in specific critical chains, across a range of timelines and severities.
As demonstrated by this pandemic, what effects could an extreme stress scenario such as multi-month disruption to business as usual activities have on supply and demand:
Which suppliers are anticipated to be able to cope or would struggle and why?
What are the risks and pinch points such as supplier concentrations in a single location?
What are the workarounds and compromises such as replacement with internal provision if a stressed exit is necessary?
What are the cost and contractual implications in terms of ongoing supplier payment if e.g. demand drops?
Would risk appetite and/or (in FS) impact tolerances for important business services be breached?
Analysing the effects of such scenarios will support understanding of their potential costs and how investment in resilience could ameliorate downside experience, a likely justification needed for any proposed changes in supply chain dependencies and efficiencies to the Board and investors (if significant). Such insights will also inform risk mitigation strategies and structural decisions on sourcing to ensure risk exposure levels and the supplier portfolio / level of diversification align with risk appetite provisions.
Supplier categorisation and risk assessment
As part of supplier due diligence, typically a range of risk areas will be considered covering financial, operational, ESG (Environmental, Social, Governance) and compliance factors, with the depth of analysis influenced by the criticality of the supplier and business sensitivity to performance issues.
Factors that determine supplier criticality should be tested to ensure they remain relevant and proportionate in light of potential changes to the importance of product and service portfolios, as well any whose failure to perform could affect the safety and soundness of the firm or breach organisational risk appetite. Categorisation should also influence potential risk mitigation strategies – which suppliers warrant an engaged, collaborative approach to build the relationship, which suppliers could potentially have financial support provided to them to help streamline working capital (potentially a mutually beneficial way of improving relationships) or in the event of difficulties etc.
Risk assessment needs to go beyond asking a supplier if it has a BCM policy. For critical suppliers, how mature are their internal risk management and resiliency capabilities, including for their own supply chain, and how will this be evaluated; do they have, for example, the ability to maintain long-term remote service provision with the agility and capacity to switch their operational activities to alternate facilities or locations (would this impact data privacy?), and has this been tested? How quickly could the supplier ramp-up service following an outage, and would the firm receive priority if capacity is limited (do they provide service to peers e.g. Cloud, and potentially present a systemic risk)?
When assessing the risk of a third party, a broader risk perspective beyond the supplier itself should be deployed, for example:
Does the diligence approach capture and evaluate potential risk concentrations (e.g. multiple areas of the organisation served by the same supplier, or proximal geographic locations with other critical suppliers)?
What is the ability to substitute the supplier (is there vendor lock-in, non-correlated supply options available)?
Is there an internal risk the supplier is mitigating and is this a favourable risk appetite trade-off?
How are these aspects scored or reflected? Do thresholds for onboarding approval / rejection or required remediation work need readjustment? What alert signals would trigger reassessment in the future?
Ongoing risk monitoring
Extended global supply chains that potentially consist of thousands of actors across multiple tiers face a vast and ever-changing risk landscape. Detailed risk assessments cannot typically be provided at a sufficient frequency to provide up-to-date risk intelligence and are resource intensive, although for a select number of critical suppliers it may be justified to perform such assessments on a regular basis, perhaps as part of supplier performance management activities
Leverage of the data environment and technological automation of monitoring provides an option to track changes in supply chain risk more dynamically and cost-effectively. By defining Key Risk Indicators (KRIs) powered by internal and external data sources, early warning alerts of significant changes in supplier risks in focus can be provided. When combined with automated search and reporting technology, including AI based algorithms and machine learning to improve surveillance and alert accuracy, a large number of third parties can be monitored for a wide array of risks with relatively low resource intensity.
As well as monitoring of specific suppliers, wider resilience factors pertaining to sectoral or geographic areas can also be covered; for example, if there is a concentration of critical suppliers in a city or region, resilience indicators could include infrastructure capacity for broadband and transport networks, natural catastrophe exposure, the cyber risk environment etc. Tracking macro-level risk indicators in addition to supplier level metrics will provide a more comprehensive understanding of threats to supply chain and operational resilience.
If you have any thoughts or comments, or would like to discuss this area in more detail, please drop me a line.