How to implement a risk management system in the supply chain

Supply chains are rife with risks, and choosing ignorance is akin to embracing a ticking time bomb. If a company has a large supply chain, they should think about supply chain risk management. This means they need to have a plan to deal with any problems that could happen in their supply chain. This article talks about why it's important to manage these risks, and how to make a plan that follows the rules.

What is supply chain risk management?

Supply chain risk management (SCRM) is the practice of:

• identifying,
• assessing,
• monitoring,
• and managing

risk events along a company’s supply chain.

Supply chains with up to hundreds of suppliers in locations across the globe are incredibly complex hives of activity.

Given all that activity in supply chains, it’s no wonder that they are hotbeds for risks. If those risks are unaccounted for, the consequences can travel all the way back to the sourcing company in the form of penalties or supply chain disruptions.

In the eyes of the public (and increasingly, the law), the sourcing company is responsible for risks that happen within the supply chain, even if it exists beyond the direct control of said company.

Importance and benefits of SCRM

There are recent regulations that are aiming at human rights and environmental risks within the supply chain:

• The Lieferkettensorgfaltspflichtengesetz (German supply chain due diligence law)
• The Corporate Sustainability Due Diligence Directive (CSDDD)

They require large companies to perform due diligence within their supply chains to take reasonable action to prevent such violations from taking place.

In view of these regulatory developments, compliance is a major factor for implementing SCRM if you are a large EU-based company. Companies that actively monitor supply chain risks are also better able to manage business continuity.

How to set up an SCRM

The Lieferkettensorgfaltspflichtengesetz and the CSDDD don’t tell us how to set up an SCRM, but the law does lay out specific requirements that should be part of your SCRM. Let’s go through this below.

• Take steps to identify and assess actual and potential human rights and environment-related risks in the supply chain. Note that assessments must consider risks with a probability of happening, even if they do not manifest in the supply chain currently.
• Take steps to prevent, mitigate, and remedy the specific risks. Emphasis is placed on prevention first and only then mitigation and finally, remedial action. Companies should deploy appropriate mechanisms for the detection of risks as they occur so that action can be taken at the earliest instance.
• Due diligence is a key requirement in company policies and management systems. This goes back to the principle of prevention first.
• Establish a procedure for receiving and handling complaints from the public, especially for stakeholders from within the supply chain. A whistleblowing channel is often used to provide a means for reporting misconduct or violations, and this should be accessible to anyone while protecting their safety.
• Annual reporting of the above efforts must be made.
• Companies with an annual turnover in excess of €150 million have to disclose a climate transition plan outlining their contribution to emission reduction in line with the targets of the Paris Agreement.
• Oversight and governance of SCRM should involve senior leadership i.e. Board of Directors and senior management

These are the requirements of the due diligence laws in the current European regulatory landscape. Translating this into a step-by-step framework, here’s a condensed outline of setting up an SCRM in compliance with the above criteria.

1. Risk Identification

Start by visiting your supplier database, going through each supplier to identify potential and actual risks in their business and operating environment.

Here, it is useful to note two types of risks in the supply chain:

• Operational risks, i.e. risks within the supplier’s business that are within their direct control
• External risks, i.e. risks beyond their control such as natural disasters or geopolitical conflicts.

Both types of risks should be considered carefully and thoroughly in this step. This step requires supplier motivation to gather information.

2. Risk Assessment

Risks should be classified based on two factors:

• the likelihood of occurrence
• the severity of the impact on the business and other stakeholders concerned.

The results can be plotted in a risk matrix, which allows you to prioritise risks based on importance. For more advanced SCRM frameworks, the use of quantitative analysis such as Conditional Value at Risk (CVaR) to measure risk is common.

3. Risk Prevention

Prevent risks from happening by actively implementing supply chain risk management strategies, adopting the precautionary principle such as screening potential suppliers based on their risk profile, and establishing mechanisms to monitor the risks.

Define clearly the procedures for minimising and monitoring the risk. Relevant personnel should be trained on the proper procedures. For example, the party responsible for managing the whistleblowing channel should be in a position to handle complaints indiscriminately and confidentially. Lines of reporting should be established to ensure strong governance.

4. Risk Mitigation

Where risks have occurred in the supply chain, define the procedure for managing those risks, either by adopting new practices or changing old ones that can minimise the probability of said risks.

5. Remedial Action

Where damage has been done, consider ways to compensate for the parties involved in human rights violations or ways to rehabilitate or restore ecosystems that have been impacted negatively. Part of this is also ensuring the same violations do not reoccur.

Challenges of maintaining an SCRM

By far the biggest challenge for SCRM is taking control of a wide network of factors beyond your immediate control. However, this can be managed by having in place a comprehensive SCRM with detailed procedures for different scenarios.

Another significant challenge is obtaining data to inform the SCRM. The process of engaging your suppliers to cooperate and share information is necessary to identify, assess, and develop strategies for risk mitigation. Continuous data updates are needed to monitor risks on a regular basis. In this respect, the help of software to automate some of these processes can be of great use to your SCRM framework.

How we help

• We guide you to achieve legislative compliance by contacting your suppliers and simplifying the collection of relevant data internally and along the whole supply chain.
• We receive information from your suppliers without jeopardising business-critical information about their supply chain from exposure, only showing one level up and one level down.
• We facilitate data exchange with suppliers and ensure that necessary and accurate information from the supply chain arrives with minimal effort.
• We conduct risk assessments of your supply chain and set up a complaints procedure.
• We provide a centralised platform to manage all your data, pulling data from enterprise software such as ERP, HRM, EMS, etc.
• We offer insights powered by data analytics, enhancing your understanding of your supply chain, ESG performance, and reporting strength.
• We automate follow-ups to data sources, reminder emails and calculations and free up more time for you to do other things.

‍