We examine how supply chain management has become increasingly global and complex making risk management more challenging.
In today’s networked world of global and hyper-extended supply chains, businesses rely heavily on their suppliers not just for continuity of service but also for safeguarding their own reputation. The fear is that, if one link in the chain fails, or is suddenly seen as ethically unacceptable, the business would be left scrambling to recover.
Supply chain failure is a serious risk for some businesses today. Global networks and specialisation have resulted in extended, complex supply chains which are increasingly hard to monitor. Lack of visibility for those charged with ensuring business resilience can allow risks to go unnoticed and unmanaged.
Consider the aftermath of 2016’s Kumamoto earthquake. Production at leading camera companies ground to a halt after the main manufacturing plants for sensors, owned by Sony, were shut down. Nikon alone suffered an estimated 20% fall in sales, reducing operating profit by approximately £67 million. There are numerous other examples where problems buried deep in a company’s supply chain have turned into a severe threat to business resilience.
All this isn’t just the responsibility of internal audit. The procurement function also has a clear duty to conduct proper checks on suppliers. In the past, however, many did no more than financial due diligence when bringing a new supplier on board. Today’s smart procurement systems should be more proactive in ensuring all the right checks are carried out.
Continuous risk management using real-time information to assess different types of risk – from geopolitical, corruption and labour practices to financial, cyber and regional conflict – is now not just possible, but essential.
The key is to start by identifying which suppliers are critical to business resilience and why. Then to drill down further to understand on which tier 2 suppliers your tier 1 suppliers themselves rely. Question those tier 1 suppliers closely about the risk management processes they have in place to control their third parties and monitor risk – and the extent of their contingency plans, should anything go wrong.
Once you have your risk map in place, the focus then moves to data. With the complex supply chain mapped out and critical pathways understood, the next step is to start monitoring data feeds around logistics and production, as well as external sources such as market data.
The greatest challenge comes from the massive volumes of data now involved. For both procurement and the other lines of defence, this is best managed by focusing on risks identified as critical.
Some boards do prioritise supply chain risk as part of their regular performance reviews. Yet many others only focus on these particular risks after there has been an incident – a contaminated raw material, say, or press coverage of poor labour conditions in a tier 1 or even tier 2 offshore supplier. This is far too late in the process.
Management culture must embrace continuous review and consistently tight controls. This message starts with the board and must be built into the whole governance process. The board should be actively engaged in understanding the risks inherent in the supply base, where the potential impact lies and what is being done to mitigate them.
The second and third lines of defence can then focus on those risks as part of their ongoing resilience tests. For internal audit to make an assessment of the compliance processes, and offer any kind of resilience assurance over potentially catastrophic failures, operating and procurement functions need to have mapped critical risk as clearly as possible – including recording what’s happening and what’s changing in detail.
Too often the procurement function has tended to prioritise cost savings, supplier performance and compliance. Yet the tasks of articulating deep risks, being keenly aware of resilience issues and monitoring the data to show how well those risks are managed is equally vital.
Responsibility for this change in culture again rests squarely with the board. Effective risk management should cascade down throughout the organisation, on to main suppliers and all the way through to tier 2 links in the chain. With suppliers now absolutely critical to business resilience, the board’s message to Internal Audit should be: ‘keep us safe from the errors of those we rely on.’
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.