Supplier Management: How to Deal with Risk

Supply side risk holds the potential to seriously harm a business but companies often fail to consider it thoroughly.

Effective supplier management (SM) will prevent problems arising, with specific interventions recommended for important suppliers and supply chains. This day-to-day process – part of an overarching supplier relationship management (SRM) approach – lies at the heart of any successful trading relationship.

Supplier risk assessment should be ongoing and conducted regularly for all important suppliers and supply chains. It should also look across the entire supply base to see if new risks have emerged with suppliers previously deemed unimportant.

Following identification of the potential risks, assessing them requires consideration of the likelihood of any given risk occurring and its severity of impact.

Group discussion is essential to determine priorities for action. Risks can be mitigated or contingencies developed and planning for both is part of supplier risk management.

It is easy to assume that risk is the supplier’s concern, but it is actually the responsibility of all parties. While there will be risks the supplier can address, others may be outside their control. They may lack the capability or may need help to address them. It is, therefore, essential that we get to know all important suppliers, and, in some cases, even audit them.

Really getting to know them

How well do you know your suppliers? What are their future plans? Do these fit with what you need from them? How would you know if they are having problems that might present risk?

In practice, it is difficult to really know a supplier and typically we only see what the supplier wants us to see: the veneer portrayed by the account manager or those in the organization who have been briefed about what can be shared. So if a supplier is important, and presents risks around assurance of supply, it is vital that we get to know them properly.

Supplier auditing and assessment

Supplier auditing is the systematic assessment of a supplier’s management systems to a specific standard, either first hand or by a third party empowered to award accreditation to that standard. It can be a highly effective means to assess supplier risk and involves visiting the supplier, examining management controls across the organization, and sampling how things work in practice. Covid-19 has presented new challenges for visiting suppliers, however audits are still possible and necessary, we just have to think differently about how we do these.

Assessment of an important supplier can help give a true feeling for the firm but this is perhaps not a skill set that a procurement person would typically possess. It would not be unreasonable for a supplier to ask that an experienced individual conducts the assessment – perhaps qualified or registered with an assessment body. Quality functions often have a supplier quality team with remit and skills to assess suppliers. Therefore, alignment and collaboration between quality and procurement can work well with a joint team where quality ‘audit’ and procurement ‘observe’.

Of course, not every organization is equipped with a supplier quality function so professional auditing may not be an option. Accepting third party accreditations can help here. However, for an important supplier willing to win and secure ongoing business there is still great benefit from industrial tourism visits. These could be as simple as a tour of the supplier’s facility, or as involved as a ‘mini-assessment’, positioned as the customer wanting to understand as much of the supplier as possible, but without it becoming a full assessment. As such, these ‘mini-assessments’ can appear much less of a threat to a supplier opening up the prospect of assessment by non-experts. A basic auditing course is recommended and can help here.

ISO9001 and other standards

Another way to understand and manage supply side risk is to qualify suppliers based upon meeting specific management system standards. The concept of a standard for how a firm operates originated from the defence sector, where a company’s operation was seen as critical to ensuring the safety, security and correct long-term functioning of defence components.

In the early 1980s, military AQAP standards were replaced by mainstream British Standards such as BS5750 in the United Kingdom, then superseded by international standards starting with the ISO9000 family of standards including ISO9001 – the standard for quality management systems designed to ensure organizations meet the needs of customers and stakeholders.

Today more than a million organizations worldwide hold ISO9001 accreditation ( It is what is expected of a modern, effective organization operating in the global marketplace.

We can better understand a supplier and gain a measure of risk exposure through accreditations to standards that they hold. Therefore, it is appropriate to be interested in accreditations, or indeed in a supplier’s efforts to work towards these.

It is important to be clear about the degree to which we might wish our supply base to hold certain accreditations and why, as this could limit choice, make the market more difficult, reduce leverage and exclude innovation. ISO9001 is widely adopted, others less so, and it would be rare to find a ‘full house’ of standards. A decision to stipulate accreditation to a standard should not be made by procurement alone but should be part of organizational risk management overall and align with wider, agreed corporate policies and principles on quality and risk.

Maintaining a supply side risk register

Organizations that adopt a proactive attitude consider all the key risks they face, including supply side risk, and take action as appropriate, directing resource and attention to areas deemed the highest priority. But there is another macro-level view here and that is the combined effect of all the supply side risk for the entire business.

Understanding the combined supply side risk helps inform corporate strategy, and in turn creates the business case for resources needed to mitigate or plan contingencies for areas deemed to warrant them. A Risk Register is a system of keeping a dynamic and regularly reviewed summary of key risks at any one time. It helps inform overall procurement strategy and where resources should be directed. If the organization operates a risk register system, then supply side risks should form part of it, otherwise maintaining a supply side risk register would form part of an overall SRM governance approach.

Ongoing supply side risk management

Things can change and so risk management is not a once only activity. It is something we need to do on an ongoing basis. In practice, this means doing a number of things continuously.

These include:

  • Changing circumstances – keeping a watchful eye on changes in the supplier’s behaviour and circumstances that might signal a problem, such as chasing payment or key individuals leaving. Such things might warrant investigation and, by asking the right questions, you may be able to read between the lines.
  • Keeping close – keeping close to the supplier and making it our business to really understand their organization and the key individuals that drive it.
  • Supplier reviews – specific agenda items during supplier reviews to share and discuss developments or changes in direction.
  • External changes – keeping a watchful eye on external environmental changes that might impact this supplier or our relationship with them. Announcements of new contracts won, expansions, changes in ownership, acquisitions, mergers, product recalls or safety concerns – all have implications for our supplier.
  • Supplier assessment – periodic audit or assessment of the supplier’s management system, processes and activities. These ongoing actions are part of the role of the supplier relationship manager. Not all can be planned for but rely upon the interest and attentiveness of the individual in this role.

This article is adapted from 2nd edition Supplier Relationship Management: Unlocking the Hidden Value in Your Supply Base (9780749480134) by Jonathan O’Brien © 2018 and reproduced by permission of Kogan Page Ltd. It first appeared on the Minute Hack website on January 22, 2021.

Jonathan O’Brien, CEO of Positive Purchasing Ltd, is a leading expert on procurement and negotiation, and works with global blue-chip organizations to help transform their purchasing capability.