The following is a modified excerpt from the Interos book, “The Resilience Operations Center: A New Framework for Supply Chain Risk Management,” which explores modern methods of acquiring supplier risk information and completing the supplier evaluation process. Download the ebook or request a print copy here.
Operational Resilience & Supplier Risk Evaluation
Having identified risks and assets, and with a clear understanding of the challenges and success factors involved in creating a Resilience Operations Center (ROC), the next important phase is completing a supplier inventory. As part of this, you’ll need to make sure you have full insight into supplier risk information, which requires a formal, rigorous supplier evaluation process.
Here are some important questions to answer as you build the supplier inventory.
Important Supply Chain Risk Management Questions and Answers
- What is the scope of your supply chain risk management (SCRM) program? Organization-wide, including all affiliate companies? Limited to a specific business unit? Something else?
- Do you have an inventory, and if so, how do you know that it is complete and includes your extended supply chain?
- Do you know who your critical suppliers are and who their critical suppliers are?
- Is there a database where supplier risk information is stored and managed? Or are there multiple databases where this information resides? Is the database automated or manual (like an Excel spreadsheet)?
- What information do you collect as part of the new supplier evaluation process?
- Do you categorize your suppliers into risk domains based on the products or services they are providing to your organization or, alternatively, on the functionality provided or information that you shared with them? What role does your information classification scheme play in this process?
- Which lines of business in your organization have been granted exclusions from your standard procurement process (and may not have been included in the overall supplier inventory)? Does documentation exist for any exceptions that have been made?
- How is the supply chain inventory kept up-to-date to maintain the confidentiality, integrity, and availability of your organization’s key products or services, business processes, and information?
- How can you use the available information to achieve quick wins and build program momentum with management and your board of directors?
If you do not know the services or products that are provided by your existing suppliers, then you’ll need to review the supplier evaluation process, and determine what supplier risk information is captured up-front.
Supplier Risk Information: Automated Discovery Versus Manual Survey
Manual survey methods for building your organization’s inventory likely have gaps or inaccuracies, given that they are based on reporting of supplier relationships by individuals. What if there was a more objective way to discover, evaluate, build, and continuously verify supplier risk information?
This “more objective way” exists — in the form of emerging automated tools and platforms, ones that leverage multi-tier, multi-factor, and continuous inventory discovery processes. These tools can use a variety of artificial intelligence technologies and include machine learning and natural language processing. This makes it possible to fill in important gaps, remove overlaps, and resolve conflicts in supplier and subcontractor inventory tiers, while continuously validating and adding to your existing supplier inventory.
As part of supplier evaluation, these tools provide actionable insights into and alerts of the risks introduced to your supply chain. They continuously monitor changes in supplier relationships and associated risk factors. Machine learning can be used to discern relationships from public, commercial, and private sources of data that are not obvious in investor/ownership, board membership, and subcontractor relationships, to name a few. Machine learning can also be used to build out more robust supplier risk information; for example, identifying ripple effects of geographic events. Natural language processing can immediately identify and alert you to negative information about suppliers in public news feeds, allowing for a proactive response before the news negatively impacts your organization.
Automated tools now exist with the ability to create and maintain a single source of truth for supplier risk information, covering financial, operations, geographic, cyber, regulatory, geopolitical, and environmental/social/governance (ESG) risks. Such tools allow centralization of your organization’s aggregated supplier risk posture and can drive key operational risk mitigation and trends in your organization’s risk reporting.
What Supplier Risk Evaluation Data Do I Need to Get Started?
In order to leverage this opportunity effectively and efficiently, your organization would need a minimum amount of information for supplier evaluation. Otherwise, the high volume of data returned by these automated tools could overwhelm you. This baseline information includes:
- Supplier name
- Location of product or service being provided
- Relevant URLs and internet hosting details
- Critical software development organizations involved
- Names of commercial products being used or deployed
- Additional specific data, depending on defined individual use cases
Spending time upfront to carefully define use cases (for example, starting with new supplier onboarding) can help you discover supplier risk information that you were unaware of and that may need to be addressed prior to contract signing. Being aware of the constant, rapidly evolving nature of SCRM through increased use of these automated tools, along with a clear understanding of and plan for integrating these tools into your organization’s existing operating processes, are important success criteria for SCRM risk management. Their contribution to maintaining operational resilience is a game-changer in the rapidly evolving SCRM landscape, and essential for staying up-to-date on supplier risk information.
Lay the Groundwork for a Resilience Operations Center
The Resilience Operations Center book goes into more detail on supplier evaluation and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your organization on the road to operational resilience. Then, to learn more about Interos, visit interos.ai.