Enterprise risk has never been a higher priority for businesses, executives and procurement practitioners than right now in light of the COVID-19 crisis. The coronavirus disruption has only accelerated many enterprise risks — from cyberthreats, employee health and safety, and most certainly, to supply risks affecting suppliers in complex value chains.
Supply-side practitioners and their corporate risk management and IT peers are staring down these challenges. They are looking for help to scale up their risk recovery capabilities for now and their risk prevention capabilities for the future. Yet, the risk management technology and services markets are fragmented and poorly integrated, mirroring the situation at most organizations.
Spend Matters has been conducting an in-depth analysis of this confusing supply market and is sharing Spend Matters’ knowledge of roughly 50 vendors from research and advisory work that our technology analysts have done in this complex area.
In an ongoing Spend Matters PRO series, we have delved into the world of enterprise risk. First, we provided an understanding of what risk management is with an in-depth overview. We then analyzed the top four vendors in the supply chain risk management sector to see how they work within this space. We also analyzed eight supplier management providers that might be helpful to know. In our latest publication, we offered an explanation of some supplier financial risk monitoring services that may help.
We see many of our practitioner clients struggling with how to unify all of these stakeholders and systems — and also just getting the funding needed to do so. They struggle with what types of providers are appropriate to consider beyond the traditional silos as well.
So, how can practitioners best manage risk?
For procurement and supply professionals, managing risk is challenging because they might not necessarily get as much credit for reducing supply risk as they do for reducing supply costs (spend). But risk impacts their ability to help the business accomplish its goals, and supply risk management is about protecting the supply/service lines that support those goals.
Risk: The Good, the Bad and the Ugly
The “good” is the ability to extend and integrate enterprise risk and compliance to external partners of your business — if you can do it! If the goal is to reduce enterprise risk, there is value in extending risk management processes outside the four walls of your trading partners. Make sure that your internal stakeholders are on board with the initiatives for business continuity planning (BCP), corporate social responsibility (CSR), IT risk management and other areas.
As such, the “bad/ugly” aspect of poor alignment is the inability to execute these aligned processes given the fragmented terminologies, methodologies, regulations, stakeholders and solution providers/markets vying to help solve these issues.
And supply risk management is a two-headed beast:
- The ability to manage and mitigate RISK within the SUPPLY MANAGEMENT function (i.e., source-to-pay and broader value chain), including within the supplier management process
- The SUPPLY-side aspect of enterprise RISK MANAGEMENT where enterprise risk and compliance (including to CSR/ESG goals) requirements get extended out to supply chains and third parties (e.g., suppliers!)
We can’t delve into all the organizational issues here — like the philosophical battle of whether ERM or GRC is the best top-level methodology; or where sustainability best slots in; or even who should own TPRM (third-party risk management) organizationally. Regardless, when you start “connecting” the dots across (and within) these domains, you’ll see the potential linkages that are needed — and how many are lacking.
But, some basic definitions of the model are in order:
- Enterprise Risk Management / GRC isn’t a subset of supply risk management, but rather, a superset. It provides the “backplane” that supply risk management should plug into. For example, managing vendor/supplier risk for IT suppliers must take into account IT risk management requirements from IT and from broader ERM/GRC requirements (and specific customer requirements).
The same goes for supply chain risk management docking into business continuity planning (BCP). And supplier compliance should dock explicitly into corporate compliance within ERM/GRC (e.g., regulatory compliance for supplier diversity, sustainability and so on).
- Third-Party Risk Management (TPRM) is also an area that is both part of ERM/GRC and also a slightly larger superset of supplier risk management (*note that we’ll generally use the word “supplier” vs. “vendor” even though the latter shows up very often) because it also includes customers (e.g., KYC due-diligence processes to “know your customers”).
In other words, supplier risk management is a form of TPRM, just as supplier contract lifecycle management (buy-side CLM) is part of broader enterprise CLM. Many organizations struggle with the decision of what apps to use here since they want both the ERM/GRC integration with TPRM and the source-to-pay suite integration with supplier risk management.
Within Supply Risk:
- Supply Chain Risk Management can be a superset of supplier risk management (because the supply chain is a collection of multi-tier suppliers). But it also is a subset because it focuses primarily on supply continuity rather than other risks, such as product quality risk, price risk, IT/cyber-risk, etc. We chose the former assumption for convenience and because these solutions have much broader data models than just supplier risk management solutions. Also, there’s a layer in between the supply chain and the supplier — namely the category. This is shown below:
Now, you might be wondering how the actual landscape of risk works. Below is a list of the main categories within risk management:
- Supplier Risk Management
- Supplier Financial Risk Management
- Contingent Workforce / Services Risk Management
- Supplier Risk Monitoring
- Supplier Compliance Management
- Fraud Prevention and Detection
- Contract Risk Management
You can read an explanation of each risk category here, where we also present a graphical framework of the above categories and how they relate to one another.
Managing Risks using Third-party Sources
From supply chain management vendors to supplier management services, there are different ways companies can manage their risks using third-party sources.
And just like in any industry, there are some key players. We shared 50 of the vendors making a difference already. For example, in the supply chain risk management space, there are three key players: Resilinc, Resilience360 (a DHL spinoff) and riskmethods. But there are also more niche providers if you want supplier intelligence monitoring or supply chain mapping.
For S2P, risk is usually pegged into supplier management, often called “supplier lifecycle management.” Practitioners struggle with this area because of its complexity (e.g., based on the number of critical suppliers and risk types), more nuanced business case, and number of internal stakeholders.
Supplier Risk Management
Providers like Allocation Network, APEX Analytix, Coupa, HICX, Ivalua, Jaggaer, Procurence and State of Flux can work alongside other types of vendors targeting supplier risk management.
However, supplier risk management can still be a daunting problem to tackle when procurement leaders are not always measured on supply risk success. In a study that we did a few years ago with over 200 procurement professionals, we found that 53% of them weren’t even measured explicitly on reducing supply risk. So since “what you measure is what you get,” procurement may not always be leading the charge here.
That said, no CPO wants to be caught off guard if a critical supplier goes bankrupt, and this is why a higher percentage of firms will perform a subset of supplier risk — supplier financial risk monitoring for critical suppliers. CAPS Research from April found that 72% of surveyed firms are currently using third-party tools to monitor their suppliers’ financial performance.
The market for supplier financial risk monitoring is especially challenging because it’s complex, poorly regulated and not well understood. This leads procurement leaders to make suboptimal choices — running the risk of underprotection, overpayment and a deluge of “false positive” alerts. Even so, this area is obviously a huge concern right now, given the pandemic’s adverse impact on most supplier’s financial health (or on their capacity if they’re one of the few “winners” in the market).
Risk management has become front and center in most organizations’ strategies. The timing also couldn’t be more critical given what’s happening with COVID-19 and the impact that it’s having on so many suppliers right now. Especially for smaller or private suppliers that don’t have strong capital reserves to weather the prolonged crisis that looks to be hanging around for at least another 12 months.
Check back with Spend Matters PRO coverage to read the next installments in our series on risk management solutions. We’ll discuss many more vendors and their capabilities.