It’s infuriating when you’ve done everything right, but you’re tanked because someone you don’t know did something wrong.
That’s the situation that many public sector contracting authorities find themselves in when they’ve implemented a sound risk management strategy and their direct supplier has also assiduously incorporated risk management in its business operations; but one of their supplier’s suppliers was caught cutting a corner and now they’re also facing legal liabilities.
How do you spare your organisation a similar fate?
With thorough supply chain risk assessment and management, that’s how.
We’re going to look at the importance of managing risk and provide tips to develop a comprehensive risk management strategy that spares your public sector organisation the agony of being painted by an indirectly tainted brush.
What Are The Types of Supply Chain Supplier Risks?
The number of potential risks is legion, but it’s possible to gather them into three primary risk categories.
1) Financial risks
Financial risks come at you from all sides. A supplier might flirt with the red by carrying too much debt or the exact opposite, loaning too much cash that isn’t being repaid.
The risk to contracting authorities is that the supplier won’t have the funds to continue providing products or services. As a result, they can’t follow through to discharge their responsibilities.
This is a big problem because public sector bodies have a lot of very important responsibilities, like paying benefits, keeping street lights on, and ensuring the safety of play equipment at play parks.
By properly managing risk, however, government bodies can continue to meet their financial obligations.
Market risks
You can’t control market risks, but you can anticipate them. By analysing data and keeping up with financial and economic news (local and global) it’s possible to identify red flags and adapt your strategy for mitigating risks.
Note: It’s a good idea to investigate suppliers (and their suppliers) to see if they have business risks looming, for instance, pending lawsuits or fines for failing to comply with regulations.
Supply Chain Risk Mitigation Strategies for Financial Risks
The most important thing you can do to mitigate financial risks in your supply chain is to thoroughly investigate potential suppliers.
Below are some tips for the investigative process to curtail unexpected risks.
1) Compare suppliers
You can compare suppliers on a central supplier risk management platform. The risk management platform should contain supplier profiles for everyone, including suppliers’ suppliers’ suppliers.
Risk identification features vary according to the platform, but generally you can:
- Identify and gain insight into potentially high-risk suppliers.
- Evaluate and mitigate risk exposure.
- Identify risks regarding potential regulation violations.
- Conduct ongoing supplier risk assessments to pre-empt problems and effectively manage risk.
2) Dive deep into the supplier chain
Risk analysis here depends on several factors, like the complexity of the contract. A straightforward contract might only have one level of suppliers. But a more complicated contract might go down to third, fourth or fifth parties: your supplier’s supplier’s suppliers, etc.
Sometimes, the deeper the dive the greater the financial risk. However, risk analysis is relative. Your department might find the risk low enough to be acceptable. But some branches of local government can’t afford to take the chance, in which case a discussion with their suppliers about mitigating risks might be in order.
3) Conduct background checks
Public sector buyers have non-negotiable budgets and must have absolute confidence in their suppliers.
Under these circumstances, the process of identifying risks starts with investigating suppliers’ history. It’s a good idea for contracting authorities to look into non-compliance allegations, reasons behind changes in leadership, staff turnover, and reasons behind mergers and acquisitions.
If it seems like there are too many risks, don’t feel guilty about cutting suppliers from your list.
2) Third Party Supply Chain Risk Management
There are several ways in which third parties can make managing supply chain risks a righteous pain in the neck.
Here, we’re going to look at Environmental, Social, and Governance (ESG) risks.
Environmental Risks
Environmental risks are related to natural disasters and sustainability with particular regard to renewable energy, safe waste disposal, offsetting pollution, and conservation of natural resources.
There is a lot of pressure on the public sector to work towards net zero carbon emission goals. For the sake of enterprise risk management, authorities must be vigilant in rooting out damaging environmental practices by their suppliers.
Social Risks
The Procurement Act 2023 emphasises social value, so public sector organisations need to be extra conscientious when identifying risks before awarding contracts.
Social value aspects include diversity (inclusive workforce), human rights (modern slavery), economic relief (apprenticeships), and community support (mobile clinic).
To identify risks, buyers must include these aspects in their background checks, which must be thoroughly comprehensive to prevent external risks from occurring.
Governance Risks
Governance supply chain risks have to do with upper-level business practices. So the integrity of management, fairness in internal controls, and accurate and transparent tax submissions.
Governance risks can be tricky to address because they come from on-high and no one particularly wants to be a whistleblower. However, it’s important to include them if you want an effective risk management strategy.
Supply Chain Risk Mitigation Strategies for ESG Risks
Prevention is better than cure, right?
To prevent serious problems from cropping up at some point during the contract, you must be meticulous with supplier due diligence.
Risk management is even more important when you consider that suppliers and other parties could be guilty on several counts. A supplier flouting environmental regulations, for example, might also avoid employing local talent.
So, how does one mitigate combined or multi-risks?
Sophisticated supply chain risk software is the answer.
Supply chain risk software or Third Party Risk Management (TPRM) platforms can process huge amounts of data and generate reports on anything from fines for environmental damage to penalties for late payments for tax returns.
With that kind of data at hand, managing risk is much easier.
3) IT-related Risks
IT is about as broad a term as it’s possible to get. We need to narrow it way down when it comes to mitigating IT supplier risk in public sector procurement.
1) Cyber security
Your cyber security system could be second to none, but all it takes for sensitive data to be compromised is a breach in a fourth party’s security system that disseminates government data across the web.
2) Privacy
This is closely related to cyber security risks in your supply chain. It can also be a very expensive risk that results from incomplete supplier due diligence.
Here’s a somewhat scary example to bring it home.
In October 2020, Morgan Stanley was fined $60 million (over £47.56 million) in part for failing to assess and mitigate the risks related to selecting and monitoring a subcontractor for a decommissioning job.
The lesson is simple: If you want to maintain an effective risk management process, don’t stint on due diligence.
3) System risks
It’s not just data that is at risk from cyber attacks. Your operating system can also be targeted. Malware, especially ransomware, can compromise your IT system’s software. Data can be lost, critical processes can be locked, and your website can be brought down.
This series of negative events can disrupt the entire supply chain which results in a whole host of other risks.
4) Compliance
There are several cyber security regulations governing public procurement in the UK and compliance is mandatory. You must have working knowledge of the following:
- Data Protection Act 2018
- UK General Data Protection Regulation
- Network and Information Security Regulations 2018
- Computer Misuse Act 1990
Successful risk management requires every single party to fully comply with the laws in each set of regulations.
IT-related Supplier Risk Mitigation Strategies
The first step in IT risk management is to ensure that your Chief Information Security Officer (CISO) is involved from the very beginning; that is, when selecting a TPRM or supplier risk management software. That way, the set-up is designed to guarantee regulatory compliance from the get-go.
Some software can conduct ongoing cyber risk monitoring to ensure all parties in the supply chain have the requisite protection systems in place and that there haven’t been any breaches that will negatively affect your operations.
10 Additional Risk Management Tips to Ensure Supply Chain Resilience
Now, we’re going to look at 10 tips to kick your supply chain risk management strategy up a notch.
1) Calculate your risk tolerance
You’re unlikely to protect your supply chain from all the risks associated with procurement.
So …
List the identified risks and determine how negative consequences will impact their risk tolerance. For example, IT systems have low-risk tolerance and need dependable security and risk reduction measures in place. On the other hand, social value initiatives could be quite robust with high-risk tolerance. They’re not a priority for your risk management team.
2) Use security questionnaires
As risk evaluation measures, security questionnaires need a little faith. You send them to potential and existing suppliers (and their suppliers, etc.) to learn more about their cyber security systems, including security controls, prevention of cyber attacks, and risk management frameworks (NIST or ISO compliant).
Verify the answers if possible. But if you can’t, you have two options: assume 100% honesty or go back and ask for more details to optimise your risk management process.
3) Invest in data tracking software
Tracking software is like a warning system that alerts you to any data breaches and leaks. As an effective risk management strategy, it’s designed to identify the breach’s location and track the data through the ether.
It might not prevent data leaks, but it drastically cuts response times and can save government departments hundreds of thousands of pounds in reduced down time.
4) Maintain ongoing monitoring and managing of supplier risks
Supplier risk assessment isn’t a once-off effort. It must be conducted regularly to ensure all suppliers still use appropriate risk management practices.
5) Include all interested parties
To get a comprehensive list of risks and insight into risk assessments, you need to form a risk management committee with department representatives from legal, data privacy, IT security, procurement, and supply chain management.
This helps to ensure risk management plans leave nothing to chance.
6) Have a plan B
Again, risk management strategies aren’t infallible. You have to accept you’ll never be able to completely eliminate risk, and the deeper your supplier parties go, the likelier there will be problems. This is why a good supplier risk management plan includes a plan B (C, D …).
Contingency plans are particularly important for low-risk tolerance suppliers. Ensure your plan B is always ready to be implemented.
7) Create a supplier risk management training programme
It’s great having a contingency plan waiting in the wings, but you also need staff to implement it successfully. Untrained staff can unintentionally muck up a plan or worsen the negative consequences resulting from the realised risk.
Employee training programmes for staff with a vested interest in the contract will help with the seamless implementation of the backup plan.
Note: Train your suppliers, so they can manage business risks in their supply chain, and are aware of the many risks that could jeopardise your regulatory compliance status.
8) Embrace technology
Technology has revolutionised supply chains and supplier risk evaluation. Contracting authorities that don’t get on the technology bandwagon lack a solid barrier between them and catastrophe.
Technology that can help maintain a resilient supply chain includes:
- Real time tracking, monitoring, and alerts.
- Automation, including AI and Machine Learning (ML), takes the drudgery out of time-consuming routine tasks while streamlining operations, increasing accuracy, ensuring regulatory compliance, and collecting and analysing supplier data.
- Analytics provides critical insight into your operations, as well as your suppliers’ suppliers (etc.), red flagging potential risks and forecasting future risks so you can take steps to avoid or mitigate their impact.
- Supplier portals or central hubs provide more opportunities for collaboration, as well as systems that facilitate collaboration. Transparency is the keyword, as all parties have access to contract information, which makes risks difficult to hide. In effect, all parties are involved in risk sharing, turning the job into a team effort.
9) Diversify your supplier base
Some risks have the potential to affect all local and nationally-based suppliers, for example, economic downturns or civil unrest. A supplier base that goes beyond regional and national borders could not only survive the turmoil but could thrive in international markets.
10) Pre-qualify suppliers
Set clear criteria and requirements for each contract. Use automation with pre-set values to evaluate suppliers based on the criteria and avoid preventable risks. Unsuitable candidates don’t make the list, but suitable candidates continue their supplier journey.
Pre-qualified suppliers go into an approved suppliers pool, which makes the process of finding and contracting suppliers that much quicker and easier.
Not All Risks Are Bad Risks
Healthy risk-taking is good for businesses and public sector procurement processes. In fact, strategic risks can create highly profitable operations.
The trick is to find your risk appetite (the level of risk acceptance) and weigh these risks against the potential rewards. If the figures are favourable, get the approval of key decision-makers and publish the contract notice.
Don’t worry if the figures are unfavourable; government departments evaluate risks differently. A particular risk may be important for one department, while another department might not consider the risk criteria worth the attention.
Data forms the foundation for your decision. Delta eSourcing has an analytics tool that provides the insight needed to take strategic risks while creating an effective risk management strategy.
Not only that, but Delta eSourcing has an eTender portal that seamlessly integrates data analytics, providing a comprehensive supply of data that simplifies supplier risk analysis and mitigation to facilitate the creation of sustainable risk management strategies.
Contact Delta eSourcing and book a free demo. Our services and experienced team can set your mind at ease and give you the confidence to select reliable and advantageous suppliers – and their suppliers’ suppliers’ suppliers.
