Despite the general consensus that risk management is important, recent studies have found that many companies still have a long way to go and a lot of work to do…
“The Supply Chain stuff is tricky!” – Elon Musk at Code Conference in 2016.
When someone like Elon Musk says that something is tricky, it means something! The examples that Musk mentions in the video show that modern supply chains are becoming more global and more complex. This complexity also leaves organisations exposed to more risks because the current business environment is characterised by VUCA (Volatility, Uncertainty, Complexity, and Ambiguity).
The uncertainty surrounding Brexit aside, other recent events, like growing tensions with China and Iran, are daily reminders that today’s global business ecosystems are precarious. And it’s not just the potential for international conflict and instability that is making business riskier. Many countries have also introduced new regulations on sustainability (modern slavery, conflict minerals), or diversity, which add new risk factors in terms of compliance.
Make Risk Management Part of DNA
Between business continuity aspects, legal or normative aspects, and protection against a public backlash whenever malpractice is discovered in an organisation’s supply chain, there are more than enough reasons to make risk-management part of a company’s DNA.
Despite the general consensus that risk management is important, recent studies have found that many companies still have a long way to go and a lot of work to do.
Some of this work should include building better relationships with suppliers and colleagues. As I mentioned in a previous article, these relationships can play an important role in helping companies identify and mitigate certain types of risk — but not all. In addition to being on good terms with suppliers, companies will need to cover many other aspects to manage risk effectively and protect themselves.
These days, procurement organisations cannot afford to ignore leave risk management off their list of top priorities. There are many reasons for this. Here are three of the most important ones.
Reason #1: Risk is everywhere
I don’t want to sound alarmist, but we live in a troubled and complex world. There is no shortage of events that could jeopardise and/or disrupt a business, potentially impacting their profitability, business continuity, image, and reputation.
Protecting your business from these disruptions is challenging, because they can originate from so many different sources. Natural disasters, accidents, social events, changes in regulations, intellectual property infringement, quality issues, and attacks on cybersecurity are just a few examples.
“Governments are also taking action by engaging in an escalating global competition to maintain and improve national competitiveness in the 21st-century digital economy. […]. While such cross-border competition is by no means new, the geopolitical undertones in this battle for dominance raise the risk that the digital economy will continue to fragment, complicating global supply chains and the operations of international companies, and acting as a drag on economic growth.”A.T. Kearney in Competing in an Age of Digital Disorder
Another key factor is that our world is changing faster than ever. Just look at the political, technological, and societal changes that have taken place in the past few years; many of them fuelled directly or indirectly by the impact of digitalisation.
As a consequence, the lifespan of companies is shrinking, year over year, as illustrated by the evolution of lifespan of companies in the S&P 500 index. All organisations are in danger, not just the large ones, and that includes your company and the companies you buy from.
Survival Through Prevention
Despite this reality, risk management has been a relatively passive domain for a long time, and it has frequently (and problematically) been equated with crisis/incident management. People were looking into risk management after an event had already happened; i.e., too late!
This was because the world of yesteryear was more stable and pretty predictable. In today’s world and in the future, the accelerating pace of change and the expanding globalisation of the economy mean that anticipation is crucial.
The risk management of today and tomorrow is about survival and making the right procurement decisions, which requires procurement to think about what “comes after” and how certain choices can make a company more or less safe in the long run. Prevention is better than cure!
“[An] enterprise is facing increasing danger that key sourcing decisions will prove uneconomic sooner, and with more damaging consequences than would normally have been anticipated by risk equations that presumed the older supply chain model. Starkly put, the odds of supply chain disruption are growing and will grow even greater in the future.”CSCMP’s Supply Chain Quarterly
Obviously, what represents a risk depends on many factors and varies from one company to another:
- Companies in B2C may be more vulnerable to risk related to their image and their reputation. If something happens that jeopardizes either of these, their brand could suffer.
- Companies or organizations from the public sector and/or selling to administrations may be more vulnerable to regulation changes.
- Standards/regulations regarding fraud and ethics may also vary from one sector to another.
Reason #2: Black swans are not an excuse to ignore risks
“Everybody has plans until they get hit.” -Mike Tyson
Anything can happen, even a shootout at the Mexican border, as told by Musk in his interview. Such “black swans” exist, and planning for the seemingly impossible is another lesson learned from “Best in Class” organisations regarding risk management: being prepared for problems enables companies to react faster to unforeseen events. They become anti-fragile!
It’s true that, by definition, risks reflect potential future disruptions. The goal is to foresee them and define ways to reduce the probability that such events ever happen and/or to reduce their impact if they do happen. Unfortunately, there is no crystal ball for Procurement; no one knows for sure what the future holds.
The only solution is to imagine different scenarios for potential problems. These scenarios can either be based on experience (problems that already happened to other organisations) and based on brainstorming (a.k.a. risk identification).
This may sound like daunting work, but it’s worth it. Organisations that have invested time and energy into identifying risks, assessing them, and defining ways to mitigate them are better at managing incidents they did not anticipate.
Reason #3: Supply chain issues are costly
There is no universal “best practice” recipe per se; only best practices in a certain context. But, what is certain is that not taking care of risk can be costly.
A 2018 study by the Business Continuity Institute and Zurich Insurance Company examined the financial impact of supply chain disruptions. The findings revealed that not only disruptions have a cost when they occur, their effects can do lasting damage. It takes months to recover and, in many cases, there is no full recovery!
So, in the war against risk, being prepared, defining various scenarios and recovery plans/actions, having the right skills, and the proper technology makes an organisation more resilient and more agile when something unexpected happens because:
- they can re-use a predefined recovery plan
- they have the processes and governance in place to act and decide fast
- the people in the organisation have risk management in their DNA