top of page

   Corporate Governance (Supply Chain Risk Management – SCRM)

 

  • The general opinion of supply chain professionals may be that the combination of proactive risk mitigation and reactive crisis management may be the foundation of efficient supply chain risk management (SCRM), which in turn, may be the foundation of a strong supply chain; to be effective, SCRM requires an understanding of the: abilities of the suppliers within the enterprise supply chain; acceptance of what compromises the enterprise may have to make to achieve continuity of its supply chain; allocation of enterprise financial and human resources to enable the enterprise SCRM framework, once approved by management; risk threshold that the enterprise is willing to endure to keep its supply chain up and operational; limits of the enterprise capabilities to cope with particular identified risks. 

  • Many general and specific types of risks that may threaten the enterprise supply chain, such as for example: board-approval risk; business continuity risk; business management risk; child labor and exploitation; climate change; compliance with numerous applicable laws in numerous jurisdictions; concentration risk; corporate social responsibility (CSR)-related; credit risk; criminal prosecutions; critical enterprise risk; cyberattacks; delivery failure; emerging risk; environmental social governance (ESG)-related; erratic human behavior; event risk; foreign ownership, control, and influence (FOCI); fourth-party risk; fraud; geopolitical threats, such as those from the Peoples’ Republic of China, Iran, North Korea, Russia; geopolitical conflicts, such as the Ukraine war; inter-country and inter-hemisphere trade wars; global and regional shortages of food, water and critical materials; governance risk; government investigations; human rights violations; human trafficking; increased competition; labor actions; lack of an educated workforce; lack of a skilled labor force; liquidity risk; market risk; natural resources shortages; new business models; operational risk; pandemics; population migrations; price increases; privacy risk; regulatory changes resulting from required compliance with numerous rules in numerous jurisdictions; regulatory enforcement actions; replacement risk; schedule changes; shipping container shortages; staffing shortages; sociopolitical instability; strategic risk; supplier financial distress; supply shortages; systematic risk; third-party complications; unanticipated sudden demand; unsystematic risk; weather catastrophes (such as 100-year floods); worker strikes.

  • There may be many internal operational enterprise factors that may impede efficient SCRM, such as for example: acceptance of supplier prices without question, either because of disinterest in bargaining or unwillingness to make long-term commitments that might result in volume discounts; apathy to investigating potential lower-cost sources in foreign countries further away from the enterprise (but still more cost-effective, even after increased shipping costs are included); bad business decisions; complex and exclusionary corporate procurement policies that may require multiple approvals before final authorization; failure to provide end-users with simple do-it-yourself methods for ordering repetitive items (perhaps under a dollar limit, such as for example office supplies); forced involvement in numerous transactions for which there was no business justification for such involvement, other than a superficial insistence upon being pointlessly-ubiquitous; lack of interest in generating new requests for information (RFIs), requests for proposals (RFPs), requests for qualifications (RFQs), requests for quotes (RFQs), and requests for solicitations (RFSs); maintaining excessive inventory reserves without justification; no fast-track protocols for procuring repetitive products; resistance to forming new business relationships with new equally-qualified suppliers who may have more-aggressive pricing models than the very comfortable suppliers the enterprise has used for years, and years, and years.

  • There may be many internal philosophical enterprise factors that may impede efficient SCRM, such as for example: aversion to any possibility of failure; aversion to responsibility, and the attempt to transfer any responsibility for anything onto others; aversion or hesitation about making difficult business decisions (or any decisions at all, for that matter); failure of the enterprise and enterprise management that it is just as important to keep fully-informed about each and every participating supplier in the enterprise supply chain as it is to keep fully-informed about the entire enterprise supply chain itself; failure to think creatively inaccurate data about each and every participating supplier in the enterprise supply chain and about the entire enterprise supply chain itself; inadequate data about each and every participating supplier in the enterprise supply chain and about the entire enterprise supply chain itself; inability or unwillingness of management to prioritize an organized business continuity action plan to manage and understand the relevant risks to each and every participating supplier in the enterprise supply chain and to the entire enterprise supply chain itself; concerted effort by management to allocate the necessary financial and human resources to accept, mitigate, prevent or transfer the relevant risks from each and every participating supplier in the enterprise supply chain and from the entire enterprise supply chain itself.

  • The first steps for an enterprise to take, in order to infuse SCRM philosophies into the culture of the enterprise may be to: form an SCRM team consisting of any enterprise personnel who may already have SCRM experience, but if there are none, the enterprise should arrange in-person or online training for at least the designated leaders of the new SCRM team, through some of the many supply chain industry trade associations; select a SCRM risk framework that the team will use as the basis for all further SCRM decisions – such as for example, either the International Organization for Standardization – ISO – ISO 27001 and ISO 27036-2 or the National Institute of Standards and Technology – NIST – NIST SP 800-53, NIST SP 800-161 and NIST CSFv1.1, or perhaps some other framework the enterprise might prefer; implement a SCRM software platform, and also if the budget allows, an intelligent digital supply chain (IDSC), and provide training on both for all SCRM team members; create a supplier database – through the tried-and-true pre-qualification methodology of RFI, RFQ, RFP, from all available public data sources – for both domestic and international suppliers; categorize such suppliers by whatever criteria the enterprise may wish to use; audit all supplier information periodically (but not longer than every 6 months), to keep all such data current; based on such audits, assess actual supplier performance against pre-determined and ranked key performance indicators – KPIs – and then issue scorecards to all suppliers, and discuss with such suppliers ways to improve their performance; continuously-monitor for both external and internal risks; conduct periodic risk compliance audits.

  • Some strategies to achieve optimized SCRM may be: accessing every possible source for accurate, current and trustworthy data regarding each and every participating supplier in the enterprise supply chain and about the entire enterprise supply chain itself; aligning the SCRM business continuity action plan with the business strategies, goals and objectives of the enterprise Board of Directors, C-Suite and senior management (collectively “management”); creating a comprehensive risk assessment matrix (which should be applied not only to the enterprise itself, but to the entire enterprise supply itself, as well as to, each and every participating supplier in the enterprise supply chain) in which as many possible risk events from various risk sources (such as for example: compliance; geopolitical; logistical; natural; operational; regulatory; strategic; tactical) are assessed for their potential impact on various aspects of the enterprise (such as for example: corporate social responsibility – CSR; cyber; environmental social governance – ESG; finance; infrastructure; market; reputation; safety; suppliers); monitoring all possible sources of risk to each and every participating supplier in the enterprise supply chain and to the entire enterprise supply chain itself; publishing the enterprise SCRM information on the corporate intranet, so all enterprise personnel may access the latest information on the SCRM plan itself, as well as current information about any particular supplier, and the location of particular items in transit (if the enterprise supply chain tracking software platform is sophisticated enough to provide such information on a real-time (or almost-real-time basis); referencing the PPRR supply chain risk management model – consisting of: prevention (plan for contingencies when formulating an enterprise business continuity plan); preparedness (ensure some emergency funds are held in reserve and that personnel are trained to cope with sudden supply chain disruptions); response (in the event of a disruption to the enterprise supply chain, respond immediately; do not become paralyzed with fear; so not wait for the government to solve the problem); recovery (use maximum effort to get the enterprise supply chain up and running again as quickly as possible); using a return on investment (ROI) model to determine whether any proposed SCRM framework may be successful; using supply chain mapping (meaning not only to create graphical maps of all accepts of the enterprise supply chain itself, but also of all data about each and every supplier in the enterprise supply chain, to achieve transparency into the operations of each and every such supplier0 which will be most helpful to the enterprise in the event that catastrophic risk events disrupt the existing enterprise supply chain, requiring the enterprise to find new suppliers and create new supply chain routes.

  • SCRM may also be optimized through various best practices, such as for example (in no particular order of precedence):

  • awareness – though visibility into the operations of suppliers, the enterprise may become aware of any particular risks faced by some suppliers; understand that the failure of a key supplier will not only damage such supplier, but will also disrupt the enterprise supply chain; thus, whether for purely altruistic reasons, or some combination of altruism and selfishness, it may be beneficial (from the standpoint of goodwill, reputation and practicality) for the enterprise to offer some added support to such key supplier, in the hope that such extra support may minimize the damage to such key supplier’s operations and also consequently to the enterprise supply chain; but always have redundant suppliers (as noted below) at the ready, just in case; it may be beneficial for the enterprise to have supplier relationship representatives who would increase transparency and visibility  with assigned suppliers by handling all aspects of interaction with such assigned suppliers, as a point of contact between the enterprise and the assigned supplier;

  • contracts – contract language updating (the use of plain English rather than legalese); creating many types of contract templates in advance, to be used as is or adapted for any future occasion; innovative contract negotiations, such as having a supplier guarantee that the enterprise will have the right of resumption (the first shipment from the first run of a supplier’s operations once such operations have been restored, after the supplier has suffered some catastrophe); using efficient contracts lifecycle management (CLM) platforms for contracts organization; verifying that every contract with each and every supplier has the indemnity, limitation of liability and risk of loss language required by enterprise corporate policies;

  • culture – create a culture of SCRM awareness and vigilance within the enterprise; trained and vigilant personnel are needed, to monitor enterprise SCRM information technology (IT) resources; vigilance is the antidote to negligence; a vigilant person is more-likely to think creatively; the enterprise should increase the enthusiasm and awareness within the SCRM culture by sharing all non-confidential information about its SCRM policies with its personnel, thus increasing the confidence, loyalty and trust of such personnel for the enterprise;

  • cyber – do not hesitate to upgrade hardware, middleware and software constantly, and do not hesitate to install patches and updates as soon as possible; strengthen enterprise defenses with the latest technology; data mining software may be used to model key risk event scenarios;

  • identify – create a detailed risk management matrix (meaning all the threats you might possibly identify as being disruptive to your supply chain) and then create contingency plans based on whatever risk framework – accept, mitigate, prevent or transfer – you may wish to apply to that risk;

  • inclusion – in the efforts to achieve transparency and visibility, it may be prudent for the enterprise to share its business continuity action plans not only with its suppliers, but also with any logistical partners – such as for example: air carriers; rail carriers; sea carriers; truckers; and the like – that might be key components of the enterprise supply chain, and to hold regular meetings with them, that might generate innovative new risk strategies that could be beneficial to all of them;

  • insurance – verify that all required insurance coverages for each and every vendor are of the coverage types required to address the particular risks faced by each and every such vendor; for at least the minimum limits required by enterprise corporate policies; stated clearly and without qualifications on a current certificate of insurance (COI), perhaps in the ACORD format, from an insurance provider with at least the minimum ratings (perhaps from A. M. Best) and with all the proper language (such as naming the enterprise as additional named insured) that is required in each enterprise contract and by enterprise corporate policies; it may also be prudent for the enterprise to purchase cargo insurance covering all items in the enterprise supply chain, as a redundant source of funding in case and cargo is damaged or lost while in transit within the enterprise supply chain;

  • logistics – prioritize tracking the statistics that will provide the most data in the shortest time (such as, for example: average loading time; average maintenance time; average time for stops; average unloading time; number of stops; route optimization; transit time); implement a detailed logistics management plan, which might assess all logistics providers in the enterprise supply chain, provide mapping for the preferred routing and also contingency routing in the event of disruptions, and would have all the other attributes noted above and below that would be applicable to suppliers;

  • monitoring – continuously monitor both external and internal risks; numerous very sophisticated software monitoring platforms are available;

  • prioritize – adjust the enterprise response to every identified risk, based on a combination of – enterprise resources allocation; the likelihood of occurrence; and, the impact of the risk on the enterprise supply chain; trade credit insurance may also be available to the enterprise to cover slow-paying customers and deadbeats;

  • qualifications – verify that all suppliers (including the redundant suppliers noted below) are all pre-qualified and financially-sound, through visibility into all such suppliers’ operations and financial data (perhaps as a pre-qualification requirement in an RFP to provide certified financial statements and operations data, and also through monitoring business tracking firms, news reports and social media);

  • ratings – perhaps divide suppliers into categories (perhaps depending what the enterprise may spend per year on their products), and then create key performance indictors (KPIs) for each task that each such supplier must perform to complete an order; then provide ratings for each such task to each supplier periodically, perhaps on a scorecard, and discuss such ratings with each such supplier; hopefully, such discussions will assist each such supplier in improving their service to the enterprise, and if not, the scorecard ratings might serve as justification for the enterprise to terminate the services of such supplier, and move on to one of the redundant suppliers noted immediately below;

  • redundancy – have a business continuity plan that allows for supplier redundancy through multiple requirements contracts in place with multiple available, pre-qualified suppliers, in many parts of the globe, for each branch of the enterprise supply chain, so that if one geographical area suffers a catastrophe that disrupts a certain branch of the enterprise supply chain, the enterprise might be able to quickly-construct a new supply chain branch, using such redundant suppliers from such other locations; do not make awards out of habit, but always use the a fair and transparent bidding process for each award; employ a strategy that includes: multi-sourcing (from multiple domestic and international sources); include nearshore (domestic US, Canada and Mexico), offshore (Caribbean, Central and South America) and foreign (international) potential suppliers;

  • reputation – the enterprise should make every attempt to protect its reputation to the greatest extent possible; do not let bad press or scurrilous attacks on the reputation of the enterprise go unchecked;  respond as quickly as possible, not through attacks on the original attacker, but rather through unemotional, factual  and true statements about the enterprise; retain reputation management subject matter experts (SMEs) if necessary; publish the response on every social media platform, and invite comments (so it can be determined if the enterprise response message is resonating with the public, or if not, that the messaging must change); follow the pedigree of each supplier through the records of the Secretary of State for the jurisdiction of the supplier, to verify that such supplier does not have unsavory associations;

  • resilience – the ability of an enterprise to recover quickly from any catastrophe it may suffer, and get its supply chain up and running again with a minimum of disruption; resilience is a function of enterprise due diligence in several key areas (such as: the ability to forecast potentially-disruptive events that might affect the enterprise supply chain; the maintenance of adequate, not excessive, inventory of critical items, with safety stock based upon historical data and current conditions; good relationships with primary and redundant suppliers; availability of sourcing opportunities, based on market conditions and world events); adequate technology to provide the enterprise with agility to adapt to procurement and sourcing requirements based on ever-changing risk challenges to the enterprise supply chain, connectivity worldwide, and tracking orders within the supply chain in real time; strategic product design (any innovation that will make ordering, logistics and delivery easier, such as using a different packing material so that more items will fit in the same-size box); ensure that the enterprise has the financial stability to provide consistent pricing, even in times of emergency (which will in turn enhance the reputation of the enterprise for honesty, integrity and stability; use an intelligent digital supply chain (IDSC – basically supply chain automation through software platforms powered by artificial intelligence – AI – blockchain, checksums, cloud services, machine learning – ML – and the like); author a crisis management playbook, so that when disaster hits, several detailed crisis response strategies may be available out-of-the-box (perhaps a short-term response plan , medium-term response plan and a long-term response plan), from which to choose, or to modify immediately, to get the response going as quickly as possible , and to perhaps but some time to formulate a more-detailed crisis-response plan;

  • review – periodically perform a complete audit of both the enterprise business continuity action plan and the enterprise supply chain, as well as of any information relating to each and every supplier within the enterprise supply chain, so that all information within the possession of the enterprise is current;

  • training – provide constant training for the entire supply chain team, so that each member of the team is always up to date, and has the same information as the other team members.

  • Drafting and negotiating all SCRM-related documents, and legal support for all SCRM-related activities.

   Progress_Page_Last_Updated_221105_1453

bottom of page