Every year, consultant companies survey purchasing leaders to understand their main objectives for the year, and regularly, risk management is listed as one of the five most important. The American National Standard for Security provides organizational resilience guidelines for security, preparedness, and continuity management (ASIS SPC.1 2009). These help companies define the overall framework for Enterprise Risk Management (ERM), where purchasing is just one piece of the puzzle.
A simple view of risk management is to know what risks should be tracked, and then, to have a mitigation plan to decrease or eliminate the risks. In purchasing, the most important objective is to avoid supply disruption, which may interrupt production, causing a loss of revenue.
The internal clients, businesses, and functions do not want to receive the bad news of supply disruption of a product or service. Compounding this problem, some clients are not willing to spend time to understand which risks they are facing because they are difficult to measure and difficult to translate into numbers. A simple, yet effective, way of communicating risk is to share with a client a graph showing the probability of risks and potential impact on their revenue if no mitigation plan is implemented.
The graph below is generated by the Purchasing Risk Assessment (PRA) tool. First, it shows the likelihood of supply disruption and the impact on revenue without a mitigation plan (called Initial Risk) and then the supply chain with a mitigation plan implemented (called Final Risk). Of course, it is the client’s decision whether to implement the mitigation plan or not; as consultants, our role is to clearly communicate the risks and subsequent impact on the business.
With the PRA tool, we are able to cover the most common risks faced in the purchasing of products and services. The framework is composed of four risk dimensions: Market Structure, Supplier, Supply Strategy, and Supply Chain. Each risk dimension contains three risk drivers with a risk scale from low to high. Below you will see risk drivers for raw materials in each dimension.
- Company Volume / Approved Supplier Capacity: How dependent you are on existing approved suppliers. If you buy 50 units, and approved suppliers have 100 units, you are at a great risk. If you buy 10 units, the risk is lower.
- Supply / Demand: How approved suppliers in the industry are operating. Capacity utilization of 90%+ gives higher risk.
- Technical Options and Time to Approve Alternatives: Do you have other options? How long will take to approve new options? You are at risk if no options exist or it take too much time to approve another option.
- Number of Qualified Suppliers: If you have just one, this means higher risk to your supply chain.
- Supplier Financial Health: If any suppliers are struggling from a financial perspective, you may face higher risk.
- Number of Sourcing Points or Supplier Plant Locations: You face additional risk due to natural disasters or geopolitical instability.
- Volume under Legal Contract: If you lack contracts in place, you have higher risk.
- Supplier's View of Company: If your supplier does not see your company as a key customer, you have higher risk.
- Specification: Are your specifications solely your creation, or are they common across the market? If specifications are not standard, the risk is higher.
- Hazard of Material: Are these products hazardous? Do they require special transportation? Special transportation is riskier than regular modes.
- Supplier Back-Integration: Is the supplier back-integrated in the feedstocks? Having back-integration involves lower risk because it does not depend on others.
- Leadtime (of Closest Stock): Can you have your product in three or 30 days? Longer leadtimes bring about higher risks.
Purchasing Risk Assessment
The PRA tool can assess risk for different commodities: Raw Materials, External Manufacturing, Packaging, MRO, Services, and Logistics (Marine, Rail, or Truck). For each commodity, we have selected three risk drivers for each risk dimension.
Because each company evaluates risks differently, the tool allows users to weight each risk dimension and each risk driver. For example, one company may have Market Structure at 30%, Supplier at 35%, Supply Strategy at 20%, and Supply Chain at 15%, totaling 100%. The same weighting applies to the risk drivers. Most important is to keep the percentages for each commodity fixed; for example, all raw materials will have the same weighting as shown in the above example.
For each risk driver, we show a scale from 1 (low risk) to 5 (high risk). You are first able to quantify each current risk driver (with no mitigation plan in place). Then, you can enter key words for mitigation planning (like “Qualify two new suppliers”), and assuming the mitigation plan is implemented, you can show the final (revised) risk. For example: You are sole sourced, with an initial risk of 5. Approving two new suppliers moves the final risk to 2. The same is done for all 12 risk drivers (that is, four dimensions with three risk drivers each).
It is important to note that the risk scale from low to high is not intended to be used as a precise quantification of the risk. Rather, its benefits are in creating comparative ranges. Therefore, the most important result is not the score itself, say, 1 or 2. Rather, it shows the direction of the risk, say, from 3 to 2 or from 4 to 1.
Purchasing inputs include many elements: year, quarter, manager’s name, director’s name, product or service name (SKU), total spend (US$MM), and revenue (US$MM). Total spend is how much of the product or service is bought in the year. Revenue is more difficult to input; however, it is the most important. The idea is to understand where the product or service is used by the company and how much revenue is generated in the year. Normally, marketing managers and business directors understand where products or services are used and how much revenue they generate.
For each risk assessment, the PRA tool generates a similar graph as shown in this article, which consultants can show to their businesses. It facilitates our client conversations because we are showing that 1) a risk assessment is being performed, 2) there is an impact on the business, and 3) we are proposing a mitigation plan.
The PRA tool also can record all the information and data input into a database, so we can track which product or service has been assessed. Furthermore, we can use the database to understand spend per commodity where risk assessment has been done and risk assessment spend by buyer or director.
If risk assessment is part of a company’s agenda, Purchasing can do this job. Naturally we will not assess all products and services we buy, but certainly Purchasing understands which ones are most critical or at current risk. The PRA tool provides a simple risk quantification and facilitates our conversation with internal clients.