There Are Poor Tools. And There Are Portals. A single portal for all your suppliers has landed.

Learn More

Managing Supply Chain Uncertainty, part 2 of 2

Earlier this week, we shared a handful of questions answered by Nick Wildgoose (Global Supply Chain Product Leader at Zurich Insurance,), Rose Kelly-Falls (Senior VP of Supply Chain Risk at Rapid Ratings,), Doug Markle (EVP at HICX Solutions), and Gary Bahadur (CEO at Razient) during the “Managing Supply Chain Uncertainty: Questions and Answers from Leading Providers of Supplier Risk Management Solutions” Webinar.

The following is part 2 of 2 of this Q&A session (see part 1 of 2 here – Managing Supply Chain Uncertainty, Part 1 of 2).

Q6. What are some of the challenges companies face when it comes to managing sub-tier suppliers based on their location?


The first issue is to understand who they are, and then it is to ensure the Tier 1 suppliers are managing their suppliers in the way you would like them to. Once you know the location of sub tier suppliers, you can carry out a number of checks to understand exposures.


Without individuals physically on the ground, it makes it difficult to manage sub-tier suppliers. It also gets very difficult when there are multiple layers of tiered suppliers. In many cases you are relying and depending on your downstream suppliers to manage and communicate any major concerns. Often the Tier I has no visibility into the other tiers, but they assume that their suppliers, and their suppliers, have insight. Typically (and often demonstrated) that is not the case. The biggest risk companies have is the lack of visibility into the sub tiers especially tier III and tier IV.


The most obvious challenge is that the primary contractor does not want to share this information. The main reason is usually that they do not want you to go directly to the sub for services. But another key reason is that that sub may not be up to the same standards as the prime and could violate your agreements with the prime.

Regulatory compliance is a major issue in manufacturing and will only increase and countries move into areas such as conflict minerals regulations and more aggressive child labor regulations. If the prime has subs in countries with lax regulations, this could be a deal breaker in your contracts with the prime.

If the prime has subs in volatile locations, this could also impact your production schedule, and be another deal breaker. If the sub is providing a very specialized part in a location that has many physical risks, then this could also quickly impact your whole production line because having alternate locations for specialized parts is very difficult. Hence, gaining visibility into the sub-tier network is a requirement today for any global supply chain.


Rose is correct in that the visibility is often not there, and Gary hit it on the head when he says that suppliers do not want to provide visibility into their supply base. Too many companies (buying organizations) have abused this insight in the past – and it has become harder to collect sub tier information.

Regardless, current compliance needs (e.g., Conflict Minerals Reporting) absolutely require the gathering of sub tier supplier information, and inputs. As such, we are seeing a big push by companies to not only meet their compliance requirements, but also gain a fuller understanding of their supply chain map.

HICX has found that successfully mapping out the supply chain requires communication, earned trust, and eventual benefits to those within the map. Buying organizations can easily communicate the goal, and why it’s needed. Supplier Management systems, such as HICX’s, can enable visibility one level up, and one level down, within the map – to ensure that the only the information absolutely required is shared (and to only the people that need it).

Further, once a map is built, we’ve found that our customers were eager to share certain insights to the appropriate supplier, such as a the example of a tsunami: a tsunami may be affecting a tier 3 supplier; therefore, notice to the tier 2 of the incident, and notice to the tier 1 of a potentially affected product is automatically triggered.

Q7. How do you get your current suppliers to work in partnership with you to reduce their supplier risk profile?


It makes it easier and less of a resource constraint if you have risk mitigation processes established that are proven, and that can be cascaded down. It makes the implementation less daunting. Best practices can be modified if needed given specific needs, but the initial framework provides an incentive versus having to recreate the wheel.


Make it clear that you only wish to work with suppliers who take a similar view of risk to you, and that you will measure them in terms of their performance on this and potentially link it to rewards. They should appreciate that their profit is exposed as much as yours.


A partnership has to be beneficial to both parties. If your partnership arrangements with your suppliers are mainly issuing mandates and not based on an understanding of how it impacts the supplier, this can cause friction. People never want more work to do, but if you can show them the benefits, then the odds are more likely that you will have cooperation.

If you conduct a risk assessment of each supplier and each supplier location, this information should be shared in a cooperative manner with the supplier. The results should make the supplier better, more efficient, more effective and this value proposition should help the supplier understand the necessity to reduce risk.

If you implement a monitoring program for location based risks, share that information with your supplier. If they can see the value in you monitoring all their locations and all their sub-tier contractors, it would be easier to have them proactively work with you on reducing location based risks. If your risk manage program makes your supplier more stable and productive, which is a selling point they can use with other customers. So in effect both sides win.


Roughly 60% of supply bases (note: not necessarily spend) consist of small businesses. These small businesses often do not have the experience or expertise in managing risk, or how certain risks may affect the supply chain upwards. We have all heard stories of mandates, and the corresponding pushback. However, far more companies are eager to learn and improve – and it requires a partnership (mentor/mentee) and insight (What is being analyzed? Why is it important? How can it be improved? How can you help me improve it? Etc.)

Q8. Why is budget allocation for supply risk still at the bottom of the priority and why should organizations reconsider reprioritizing? (e.g., studies reveal less than 30% allocate budget to risk management initiatives)


If organizations have not had a major impact (meaning their bottom line has not been jeopardized) due to a supply chair disruption, they often don’t see the need to spend the money on risk mitigation solutions. It is viewed as an expense versus an investment.

However, having said that, many companies haven’t assessed the true impact of a disruption. On average companies incur upwards of $1M and even tens of millions of dollars when a disruption occurs. The implementation of a risk mitigation strategy can also be cost effective especially when you weigh the dollar impact of a disruption to the cost of technology.


Organizations should reconsider because of the dramatic effect that supply chain failure has on their financial performance and share price 7%+. The reason that it is at the bottom of the list is that there has been a disconnect between CEOs and CFOs seeing it as major risk, but then in the current economic climate setting objectives for the supply chain team that just focus on cost reduction.


Net-net: most companies have not monetized the effect of risk/disruptions on their organizations (again, not just tier 1), and many, as Rose stated, don’t want to allocate more resources towards unforeseen risks when they cannot yet be quantified. I personally struggle with understanding why more companies don’t know the average costs of current/prior risks/disruptions – and I’ve experienced only a handful of CPOs, or VPs of Supply Chain, having a number on hand.

These numbers should be ingrained in stakeholder’s thinking, just as Ford quantified the cost of Jaguar’s warrantee work, year’s ago, and put incentives in place to minimize the “hidden costs”. Similarly, it is easy to understand how people view a risk mitigation program as a sunk cost; however, one only has to look at how they manage their own, personal budget to put it into perspective.

How much is spent on health insurance, dental insurance, car insurance, homeowner’s insurance, umbrella policies, life insurance, etc. – and, though one hopes to not have to collect, isn’t it better to plan for the unforeseen? Risk mitigation programs are, in a nutshell, are a form of insurance and too many companies only realize this after a major incident impacts their company.

Q9. How are corporations addressing the integration and implementation of risk monitoring for reducing supply chain disruptions, and what are the ongoing challenges?


Companies are often concerned that integration is going to be long, difficult and costly. With various technology solutions today that is often not the case. Companies need a solution that does not require dedicated IT resources. If the project is deemed to be lengthy and requires long term dedicated resources then consider an alternative. But with web-based systems and data transfer capability, information sharing has now been simplified.

The next biggest challenge faced is the lack of a system that can be considered a “one size fits all”. Therefore companies require multiple solutions to monitor the various risk categories. This can become a major internal resource drain because someone has to dedicate time to pull all this data together in order to have a holistic view of the potential risks.


It must be driven from the top and address the many functional silos that have a role in supply chain risk. The leading companies have also put dedicated resource into this key management area.


Similar to New Year’s resolutions, where individuals attempt to take on too much change, but find themselves where they started a couple of weeks in, risk programs should not have a “boil the ocean” plan. Step-by-step companies should incrementally add processes, integrate new types of information, new scorecards, etc. and view the program as continual improvement. If a scorecard, for example, is so large that many individuals, and functional groups, all have to buy in to one standard, it becomes too difficult to implement. As such, any system chosen to assist with risk mitigation needs to have the ability to easily scale, and change, as the requirements grow and change.

Herein lies the traditional problem with attempting to tackle risk within ERP systems, point solutions (e.g., only a Scorecarding system, only a contract management system, etc.), or Excel spreadsheets. At HICX, as an example, we understood that our Supply Base Management platform, though it can be infinitely configured for managing the various risks, needed to also leverage the best practices and cutting-edge third-party data sources. As such, we created a partner ecosystem, with companies such as Razient, Rapid Ratings, and Zurich, to augment information and processes, as needed, for our clients; thereby, enabling customers to scale and adapt rapidly.

Q10. How would you begin to integrate supplier risk intelligence into the supply chain for companies that do not currently have a risk program?


Start with establishing the framework that was mentioned above (Q3). This will allow for an initial assessment to really understand the suppliers. This is referred to as “back to the basics”. Where are the suppliers located, are they public versus private, do they have private equity backing, do they rely on a specific customer for business? These are all questions to consider as risk is being assessed.

The next step is to analyze the potential areas of concern. For instance, have you identified red flags (i.e., poor quality or delivery) for any suppliers? Have you assessed the financial stability of your most critical suppliers regardless if you have identified red flags? What resources do you have internally to conduct the financial analysis? Are resources available to conduct the analysis for all the suppliers identified? Can the team conduct the analysis systemically meaning every quarter or bi annually? If not, how will you contain this? Will this require outside resources (aka technology solution)?

Although not comprehensive, these are just a few thought starters to begin the risk management initiative not only for those that haven’t begun for even for those that have started and want to take an alternative approach. Risk mitigation is an evolution and as companies experience disruptions (both known and unknown) we are learning new approaches in order to address the issues.


The first step is obviously to implement a complete supply chain risk management program, which incorporates the supplier risk information. But assuming that this program is not feasible in the near future, there are a few steps that can be implemented to gain benefits from supplier risk intelligence.

The first is a basic monitoring program. If you can automate the process of knowing when locations are at risk, you reduce the downtime factor. The faster you can determine that your supply factory in Bangkok is in an area near a flood, you can quickly launch further investigation into that risk the same day versus waiting several days for your supplier to contact you.

The second step is gaining more knowledge of the sub-tiers. If can gather key risk information about your supplier sub-tiers, this will allow you to at a minimum know when a sub-tier supplier is at risk and what specialized parts could be impacted. Having this knowledge provides the same benefits as knowing when your primary contractor sites are at risk.

The third step is working in partnership with your suppliers. As you gather more intelligence about them and their risks, sharing that information and working collaboratively to reduce risk will make the partnerships more effective. If you do setup a location-based risk monitoring solution to understand their risk profile, share that information with them. Add them to your application so that can react faster but also know you are monitoring them.

Just understanding where potential risk can occur in your supply chain rather than waiting for it and then responding, is the beginning or a full risk program.


Given the support mentioned above, the first step is to understand your critical supplier exposures and then to take a prioritized approach to reducing risk exposure.


Segment. Segment. Segment.

Per my earlier answer, one cannot tackle it all at once – and not all suppliers require the same diligence. In our experience, the best strategies have segmented their risk exposure (e.g., regulatory (FCPA, CMR, RoHS, REACh, etc.), revenue/cost related (e.g., multi-tier disruption costs, weather incidents, supplier bankruptcies, etc.), and reputational (e.g., CSR, factory audits, etc.)) against segmenting their supplier base (e.g., which suppliers require more diligence, which require only basic onboarding, etc.).

Once it is understood how to segment, the logic can be embedded within systems, such as HICX’s, to automatically drive the appropriate initiative. As each, bite-sized initiative is rolled out, companies must: measure the affects; collect feedback from potential stakeholders on the newly gathered insight; make continual improvements; and, start tackling the next tier/initiative.

Eventually, the process smooth’s out, risk mitigation initiatives start to intertwine effectively, and the stakeholders will find themselves managing “by exception”, versus wasting their resources by attempting to find needles within the haystack.

Risk mitigation runs the spectrum potential solutions (e.g., incident alerts, scorecarding, supply chain mapping, compliance, etc.). If you and your organization are, at all, concerned with supplier risk, operational risk, or reputational risk, please do visit HICX Solutions’ website. No matter where you are in your supplier risk management journey, HICX has solutions to help you reach your destination.

Posted in

Share this post