riskmethods welcomes a guest post from Kai Busse, expert for the procurement area and founder of Pexin Consult.
Using the risk groups defined in your risk prevention strategy as the basis, determine risk indicators that will form the basis of risk monitoring in future. The suitability of a risk indicator can easily be checked by posing the following question:
- Can a risk that is listed in our risk prevention strategy be identified based on the occurrence of an event (in terms of this indicator)?
An example: The frequently used indicator for supplier creditworthiness is suitable for identifying supply risks. If, however, image risks are the focus of monitoring, this indicator can safely be dispensed with.
Once all risk indicators have been determined, they must be correlated in terms of level of priority. This results in a risk matrix. The following rule of thumb applies: The highest weighting is assigned to the highest loss potential. Do you assign this rating in Procurement only? No! Other departments are in a much better position to assess and quantify the impact of certain events. Consequently, as is the case with strategy development, a collaborative, cross-departmental approach also applies here. Apply a modified form of utility value analysis as part of a workshop. Rate all risk indicators with points from 1 – 100. Perhaps, for purposes of easier orientation, assign value ranges to the impact (“very low impact 0 – 20” to “jeopardizes continued existence 90 – 100”). Then correlate the scores – and you have your risk matrix. Once your monitoring is up and running, use the same pattern to allocate criticality ratings ranging from low to high to events that occur or general incidents (e.g. country risks). This means that you will have a current risk figure for every indicator, and this figure will be updated with all new information received and assigned the weighting of the risk indicator, resulting in an overall risk figure. But the risk matrix must now first be populated.
As already mentioned, current and valid information is the key to successful risk monitoring and management. Suitable data sources must then be identified for your risk indicators. Besides internal sources, countless data providers operating on a global/regional, commercial or non-commercial basis are available to you. When selecting your data providers, take note of the frequency of data updates. The data provider should have its own research capacities and make the data available to you in a workable format.
Unfortunately not all information required is readily available in a prepared format. Address data is core information for recognizing at an early stage whether your supply chains are threatened by natural disasters, strikes, unrest, weak infrastructure, political instability and a whole lot more. This mainly applies to production, development and service locations of your suppliers and their subcontractors, as well as to central logistics hubs that form part of your supply chain’s path. Internally available address data for suppliers can only be used to a limited extent in many organizations, as ERP systems often only provide commercial addresses, and not risk-relevant locations. Information on 2-n TIER suppliers is frequently not available at all. For this, there is unfortunately no way around cumbersome research among all suppliers affected. Ideally you should integrate the obligation to provide information on subcontractors’ location addresses in your standard contracts.
For each risk indicator, determine the data update cycle. Available real-time data should also be processed in the same way. Fortunately the addresses do not change that often, which means that an update every six months or every year suffices.
Which suppliers are then actually included in your monitoring necessarily follows from the product and/or material groups defined in your strategy. In this regard, organizations often choose to include the suppliers with the highest revenues in their monitoring. This is a decision for which they could pay dearly, as missing Cent items can also cause severe production disruptions. The wider the base of suppliers included, the higher the chance of recognizing all risks that occur. It is essential to assign one employee to each supplier as the person responsible for risk monitoring and management. Who is responsible for which supplier in most cases also follows from the responsibility linked to product or material groups.
Done! Once you have developed the matrix, assigned responsibilities and researched, assessed and included the initial data, you will for the first time have a comprehensive overview of the current risk situation of your supply chains.
I will deal with the implementation of risk management in the third part of my blog series.
Sign up to receive updates from the riskmethods Blog