Seeing What’s to Come: Digital Risk Management in Procurement

Seeing What’s to Come: Digital Risk Management in Procurement

Seeing What’s to Come: Digital Risk Management in Procurement
Seeing What’s to Come: Digital Risk Management in Procurement 


Risk in the Global Supply Chain: A Growing Threat  The world is becoming increasingly interconnected, creating complex interdependencies in global supply chains. At the same time, uncertainty is growing, with companies being exposed to a wide range of supply risks threatening their business. Chinese factory closures as a result of environmental efforts lead to unforeseen standstills in Germany, trade barriers increase sourcing costs, and unethical conduct on the part of suppliers leads to reputational risk. The consequences are significant. The insurance company AON estimates noninsured costs of $134 billion from natural disasters in 2017 alone. Some businesses even face permanent consequences, such as drug substitution in the pharmaceutical industry.
Background: Conventional Best Practice in Risk Management  
CPOs must excel in managing the risk associated with the supply base. In the past, procurement employees and subject matter experts discussed risks intensively based on their gut feeling and past events. This cumbersome approach yields false results, as identified by Nobel Prize winner Daniel Kahneman in the “representativeness heuristic”: We overestimate the likelihood of recent events and get a distorted view, which in turn disproportionately exposes us to new events. Leading companies overcome this overexposure through a holistic approach that assess risks correctly, selects optimal mitigation levers, and equips risk management with digital and organizational enablers, as shown in exhibit 1.
 
Download Also:
Exhibit 1: Risk management approach 
Understanding Risks  
Two risk types need to be differentiated, “black swan” and “detectable risk.” A black swan is an outlier beyond regular expectations, as no data from the past can credibly point to its likelihood. These include rare natural disasters and unexpected political movements, such as sudden barriers after decades of free trade. It is common to rationalize events as predictable in hindsight, with the risk assessment program getting the blame for failing to predict their occurrence. With this assessment, managers acknowledge the existence of unpredictable events to focus on managing them. On the opposite end of the spectrum is the detectable risk for which the likelihood of occurrence is determined by observing previous occurrences. To predict such risks, easy-to-recognize signals are used initially, such as a supplier’s deteriorating financial performance. The sophistication of detection increases by adding more signals—such as weather forecasts to predict water shortages.  
Next to the two risk types, leading companies assess the impact, and thus the consequence, of risks by simulating profit and reputational losses, such as missed deliveries, damaged assets, or consumer boycotts. This is done, for instance, by linking a bill of materials to final SKUs in the ERP system to simulate supply disruptions of components or suppliers.  The difference between the two risk types becomes apparent in our exhibit 2—a framework typically used in risk management.
 
Exhibit 2: Risk assessment framework  
Events marked as “high risk” have a large business impact, where close monitoring is set up to ensure fast responses. Operational risk is a minor disturbance that occurs frequently and causes smaller disruptions; for example, due to late shipments or customs issues. It is easy to overlook this as non-existential, although it presents an impact opportunity by optimizing mitigation using breakdown frequency as a parameter. 
 
To manage disruptive risk, leading procurement organizations leverage sensitivity analysis to decide on an acceptable risk exposure, such as identifying particularly harmful SKUs in case of disruptions or assessing geographical supplier distributions to determine vulnerable regions. Casually monitoring the development of the “limited risk” category provides early warning signs of changes to the risk type and impact. This includes continuously screening for increasing occurrences of risks that may eventually become detectable risks.  An often underestimated factor in the understanding of risk is the aspired depth of reporting. 
Procurement professionals should neither get lost in the details nor stay at too high a level to make the right assumptions. Multiple layers of transparency have to be set up based on a clear segmentation into owners of different risks. The CPO reports overall procurement risk to the executive management but also needs access to category overviews. Category managers need their overall category risk as well as drill-downs to the supplier and SKU levels. Visualizing risk in real time is crucial in order to translate data into useable information.  Deciding on Risk Management Levers

After seeing their risks clearly, procurement professionals need to apply the right risk management levers. These levers are categorized by their application against the following:  
  • Financial loss: Directly impacts profitability, e.g., from stock damage or failed deliveries     
  • Reputational loss: Affects long-term profitability from deteriorating customer perception—for example, if engaging with unethical suppliers

Exhibit 3: Risk management levers  
The “transparency” lever thoroughly evaluates larger risk buckets to improve the assessment; for instance, by auditing supplier factories to assess disruption threats or ensure compliance with ethical, safety, and environmental standards if reputational loss is feared. The “preventive mitigation” lever minimizes risks before they impair performance. The “buffer inventory” tool is effective due to its quantifiable mitigation impact, allowing for optimization based on the risk assessment. 
 
“Dual sourcing” is a powerful tool for reducing single supplier risk, but understanding the supply chain’s geographical setup and company interlinkages is crucial—for example, by analyzing the geographical dispersion of factories or mapping sub-suppliers. The “reactive mitigation” lever reduces the damage caused by materialized risks. It requires a quick selection of the right levers and engagement of the organizational owners to make swift decisions. Simulations test emergency procedures, such as supplier approval speed to reestablish supply from alternative sources or the use of operations task force experts ready to be deployed at supplier sites to reestablish supply. 
 
Enabling the Organization  
Professionals will likely not have their risks under control if they haven’t embedded enablement properly in their operating model. We differentiate between the dimensions of organization, processes, people, collaboration, and performance management. All these dimensions are crucial for a solidly enabled risk management—for instance, in organization, ensuring that risk management is part of the category buyer’s role descriptions, or in processes, that there are risk-limiting activities in critical categories, such as regular supplier audits as part of the sourcing process. Particular emphasis, however, needs to be put on the dimensions people and performance management. 
It is of paramount importance to educate employees in the organization on how to perceive and manage risk, as well as to provide guidance for tailoring risk assessments and mitigation to category contexts. Enabling buyers to leverage the digital solutions described is also essential in getting risk management firmly under control. With category managers measured against other KPIs, performance management must include risk measures to incentivize adequate prioritization of the topic; for example, by measuring prospective efforts of preventive levers or saved value from reactive efforts. 

Unlocking the Digital Potential  
Digital tools in risk management can elevate the data foundation and decision process beyond traditional risk management. In particular, there are three challenges digital can overcome, enhancing the data foundation and transparency for assessing risks, improving risk analysis for assessing and mitigating risks, and creating a transparent and reliable flow of information (see exhibit 4).
Exhibit 4: Digital potential in risk management  
Mapping the World with Big Data  
The amount of data in the world doubles every other year, exponentially increasing the opportunities of risk detection. The key success factor in big data as the basis for risk management is to set up a good data collection and storage system that continuously grows. At first, a few simple data sources are collected, and as the system matures the complexity and amount of data is expanded.  Starting with internal sources such as supplier performance metrics of on-time deliveries and PPMs allows for deteriorating performance to be detected early and timely corrective action to be taken. 
 
Simple external data sources improve risk detection, such as monitoring a supplier’s credit rating. Adding advanced sources increases sophistication, including political risk factor detection by tracking news sources and social media; for example, by tracking the location, time, and content of tweets on the social media platform Twitter, political uprisings can be detected at an accelerated speed to predict national political instability. Supplier-level risk assessment is also improving—for example, through joint platforms to rate suppliers (e.g., Trustpilot for suppliers) and by actively monitoring government watch lists to detect unethical suppliers.

Interpreting Signals with Artificial Intelligence (AI)
Artificial intelligence (AI) adds a good measure of sophistication to the detection of risk signals by using big data to combine and analyze data sources. An algorithm could be run on a company’s suppliers by combining the macroeconomic risks of political instability and natural disasters with supplier-specific risks, such as delivery performance and credit ratings. By leveraging machine learning, AI constantly improves its algorithms by observing which events led to disruptions and which did not, thereby adjusting its risk assessments. This enables earlier risk detection and improves the scope. Based on its assessment, AI uses the risk management levers to make faster and more precise decisions. It allows for a broad range of suppliers or risks to be monitored on a continuous basis. For example, it adjusts buffer inventory to equilibrium based on its knowledge of expected disruption times and inventory costs. 
Machine learning makes it increasingly easy to choose the right levers, as it observes their outcomes given disruptive events and makes improvements as it goes along. For example, when attempting to identify the risk of a supplier’s bankruptcy, big data can provide the balance sheet and the timing at which the supplier is sending invoices, or even monitor the supplier’s input cost to assess its profit margin over time and use that information to foresee the bankruptcy. The power of AI comes in to weigh all of these input parameters and constantly calculate the probability of bankruptcies.

Optimizing with Robotic Process Automation (RPA)  Robotic process automation (RPA) considerably reduces the effort of mapping and following up on risks, which is the major operational hurdle of risk management today. It feeds big data repositories and subsequent AI algorithms by replicating repetitive, otherwise manual, tasks at several times the speed and accuracy, thereby greatly improving the process. 
 
For example, RPA data scrapes internal data such as invoices and external data from social media platforms and stores it in a combined warehouse. It also assesses risks by seamlessly linking bill-of-materials and sales data in the ERP system. Risk visualizations are automatic and link data sources in an interactive dashboard readily available to users in real time—for example, using tools such as Tableau or PowerBI that enable users to visualize the overall risk and drill down on desired segments.
Reducing Supplier Risk with Blockchain  Using blockchain ensures good traceability throughout the supply chain, helping companies to ensure compliance with ethical and quality standards, among other things. For example, companies need proof of avoiding conflict resources, hazardous materials, and child labor, and they also want proof of green energy usage, rain forest certificates, etc.  In the past, data sources were easily corrupted through manipulation, making data unreliable throughout the supply chain. Blockchain eliminates that by providing a safe environment in which a network of computers ensures the validation and authenticity of data, making it more difficult to manipulate. 
 
Furthermore, it integrates data along the supply chain to increase transparency between nodes, which makes traceability effective and trustworthy.  A recent example is Tracr, a collaborative digital platform developed by De Beers, the world’s largest diamond company, to securely track diamonds throughout the value chain and ensure ethical origins. The platform integrates data from various stakeholders, including producers, governments, banks, graders, retailers, and traders in one joint system. As the diamond passes through the value chain, the systems verifies and stores transactions to create a clear string of information. By storing information on size, color, and certificates, Tracr gives owners confidence about the origin of their diamond.  How It Has Been Done: Digital Risk Management at a Chemical Producer  A European chemical producer focused its risk management attention solely on bankruptcies, especially of smaller suppliers and the subsequent shortages within the supply chain. 
 
However, when the Chinese government began closing plants for environmental reasons, the CPO remembered the black swan paradigm and requested a risk assessment on direct products sourced from China. The results were shocking: Around 60% of the company’s end products contained a Chinese-manufactured ingredient and were therefore exposed to this new threat. Despite the fact that no Chinese supplier had faced bankruptcy in the past, the risk on products from the Chinse market had become much higher—all due to the new black swan of sudden closures for environmental reasons.  At first, a conventional assessment was plotted on the main materials, weighting the probability of a plant closure with the impact on the company’s end products, as the input parameters for the assessed probability incidents were chosen in the same industry. 
However, out of 1,800 raw materials sourced from China, a total of 500 were indicated as high-risk based on a high probability combined with a sizeable impact. More sophisticated monitoring was needed. A risk management database was therefore set up that combined a large amount of internal as well as external information from the suppliers’ quality reports, location, size, invoice timing, to press reports about closures in the same industry and region or changes in local governments with a different environmental focus. Building on that database, an AI-aided algorithm was introduced that regularly scanned all known Chinese suppliers for a potential takeover or even closure. 
 
The algorithm consisted of 23 input parameters based on the big data source and took into account closures that had already happened in the industry. Based on that, it refined its results over time. The external information was automatically searched and fed into the algorithms by search bots. The algorithm identified a subsample of 48–61 materials at high risk, which could be monitored much more easily than the 500 in the original cluster. After a year, two plants were actually closed—both of which were in the closely monitored subsample.

Where Does Risk Management Go from Here?
The challenges in managing supplier risks will continue to grow. Even more so than today, procurement organizations will be needed to put a strong focus on comprehensive risk management. Buyers will have to get used to systems that advise them on what to focus on and which levers to apply to reduce their specific risk exposure. Many tools are already available, others can be built in individual solutions, leveraging in particular artificial intelligence. Companies that make the right investments now will have a significant advantage over their competitors in the future. 
Not only will they have refined and tailored their own tool solutions; even more importantly, they will have selected the right data fields needed and started collecting the required data internally and from suppliers. Without that data, digital risk management will not be able work.  As a first step, we recommend a thorough assessment of the status quo in conventional and digital approaches and a serious review of what the company truly expects from its risk management. Based on this, the roadmap to tackle a more comprehensive risk management can be built, intelligently balancing rigor in conventional methods and enablement with new digital tools. 
 
Related Topics:
The Author: Daniel Weise

                                        Daniel Weise
About:
I am a procurement enthusiast and have the privilege to lead BCGs procurement business line globally. Supporting my clients globally and across industries, I focus on value delivery - beyond cost and including resilient supply chains and sustainability, operating model redesign and digitization programs. 
 
I have also supported many of my clients in PMI and restructuring settings. Recently, I have published my first book summarizing my experiences in digitizing procurement functions: "Jumpstart to Digital Procurement". In BCG, I am also part of our global Operations Practice Area leadership team.
Previous Post Next Post

Comments