- Ken Faser
Improving the efficiency of supplier assurance
Updated: Aug 31, 2020
Suppliers are now one of the most likely cause of significant business problems. Whether or not it's your web providers allowing dangerous credit card-skimming plug-ins on your e-commerce site, or your suppliers using child labour to make fashionable clothing and accessories, your supply chain is a massive source of risk. However, outside of a couple of highly Risk-averse sectors (such as Nuclear or Weapons), most organisations simply do not do as much Supplier Assurance as they would like to.
Current standard practise is very much as follows:
Suppliers are risk-assessed at the point of on-boarding, with only a few continuously re-assessed as circumstances change
Supplier impact assessment (evaluating how critical any supplier is to the customer and therefore what assurance approach they should receive) is done on the basis of spend, and not on the potential for causing data breaches, or corporate embarrassment
Where there is easy-to-look-up pre-verified data, as there is in terms of financial data from Creditsafe or D&B, then that is used - and often forms the only material basis of the evaluation - which is at odds with the actual areas of risk likely to cause an issue
Questionnaires are sent out by email, making completion hard both to complete by Suppliers, and then to Assess and review the data received
Questionnaire responses tend to be kept in their respective silos (the IT team look at cyber, the DPO at GDPR, etc.) with no-one pulling together a 360-view of ALL RISKS
Overall it is a very manual, ad hoc process with little automation and never quite enough standardisation.
The reason, of course, is cost. It is potentially expensive to risk-assess the entire supplier base regularly, particularly if you are doing everything manually. Even if you triage the risk and concentrate resources on the most critical suppliers, most organisations cannot tell their Risk Committees, Regulators or Shareholders a particularly convincing story when it all goes wrong.
To improve both the effectiveness and efficiency of supplier assurance requires new thinking, some automation and clarity around roles & responsibilities.
The first bit of new thinking around Supplier Assurance is about professionalising what is often an ad hoc, disjointed process - with little exposure at Board level.
Define what Supplier risk means to your business. What are it's dimensions? e.g. Credit risk, Modern Slavery, ABC, Cyber Security, Product Quality, Materials Delivery, etc.
Supplier risk can kill a business, so the Board need visibility of the current Risk status of each Supplier
Have Supplier Assurance objectives and KPIs that you report on
Have an agreed 100% implemented Supplier Impact Triage process in place - so that you know which the worst-case Suppliers are (we like 5-levels, Very Low to Very High)
Agree a fixed, non-negotiable Assurance approach for each level of Impact
Secondly, invest a little in automation and an online portal. Sending out long "fire-and-forget" questionnaires in Word or Excel may be the "way we do things" but it doesn't allow you to know which suppliers have started, which are ignoring you, and what the scores are in real-time. Create a Supplier Assurance portal, for example using Rizikon Assurance, that:
Allows complete standardisation of questions and gives you one place to update questionnaires with new standards and regulations
Has automated reporting, scoring and supplier chasing
Supports re-assessment on a regular period (the supplier just updates what's changed)
Allows suppliers to share questions internally (no one person ever knows everything)
Has 'smart' assessments that ask the minimum number of questions, not "War and Peace"
Pulls in data from places like Companies House and Credit-scoring platforms like Creditsafe
Displays all Risks in a single view for the Board to understand
Improving Supplier Assurance productivity doesn't need to cost the earth. Check out Rizikon Assurance for some new thinking and take control of Third-party Risk.