1. 1
MILANO, 6 APRILE 2017
Marco Santino @ PEC 2017
Leve per il Procurement di domani:
Gestione dei rischi della Supply Chain
2. 2
Supply chain risk management increasingly important
Increasing risk exposure and supply chain vulnerability demand systematic approach
• "Optimized" supply chains:
Lean supply chain with lower buffer inventories
• Complexity of product range and technical equipment:
Increased purchasing variety with higher supply network
complexity
• Outsourcing:
More actors along the flow, dependencies and
interconnections
• Global flows:
Larger and more complex manufacturing network,
resulting of last 20 years evolution
Source: Center for Research on the Epidemiology of Disasters, BCG
Stronger supply chain vulnerability
• Natural disasters almost tripled and man-made disasters
increased by 50% since 1970
• Recent events with supply chain impact include:
Increased risk exposure
Natural
events
Organized
strikes
Plant
explosion
Market
downturn
All industries are impacted
3. 3
Different "type" of risks to consider
Source: BCG
Operational
risks
Geopolitical
risks
Catastrophe
risks
Market
risks
Strategic
risks
Financial
risks
Supplier
risks
Increasing manageability of risk
4. 4
Political instability: BIG impact on global supply chains
Source: Press Clippings
Impact on Procurement
• Need to anticipate impact and put in place
contingency plans
• Negotiate flexible deals or shorter term contracts
to accommodate political / regulatory risks
• Need to design flexible supply chains
• Need to carefully plan for a correct risk allocation
and more sophisticated formulas (currency risk,
inflation risk, commodity price volatility risk, etc.)
• On longer term contracts: work with finance and
consider hedging models
• Increase buffer inventory
• Prepare for changes in tendering regulations
• ...
5. 5
"The Supplier shall remove and/or disable, through
software, physical disconnection, or engineered barriers....
"The Supplier shall disclose the existence of all known
methods for bypassing computer authentication...."
What's next? Cyber security ...now part of the
procurement agenda
The risk is spreading also in unexpected fields ...
Example: Energy Delivery System
In 2016 a trio of highly trained hackers baited the employees
of an electric utility north of Seattle. They had a bite in 22
minutes
Supervisory control and data acquisition systems and other
automation tools are becoming the norm as utilities
modernize their grids
However, many of those energy delivery systems "are
configured with default accounts and passwords that are
sometimes publicly available"
Unused and unnecessary software and services in energy
delivery systems and components that are left enabled can
pose potential entry points for exploits, especially if they
are not monitored
...and is also Impacting Procurement
Source: Cyber Security Procurement Language for Energy Delivery Systems, US Department of Energy
6. 6
Need a comprehensive, objective, balanced approach
Focus should be on both short term and long term decision making
• Cover all relevant risks
• Covers systematic,
unsystematic, component and
commodity risks
• Relevant across all types of
suppliers (International, Large
domestic players, SMEs, JV /
non JV)
Comprehensive
• Standard list of metrics
• Defined number of
comprehensive metrics
• Most metrics with objective,
data-based assessment
• Standard measurement and
scoring systems
• Standard action library
Objective
(Enables Common Vocabulary)
• Focus on both strategic and
operating metrics
• Aims to manage short term
production interruptions and
challenges
• Also focuses on managing long
term supply risks at
component level
Short term &
Long term
• Creates a portfolio level view
with all important decision
inputs
• Prioritize on the basis of
severity and impacts of risks
• Links risk assessment to action
library
Focus on
decision making
8. 8
Define a dashboard of Key Risk Indicators (KRI) ...
Socio-political risks
Examples Pragmatic KRIs
• Political stability
• Political independence
• Separation of power
• Corruption
• Criminality
• Expropriation
• Strikes
• Country risk rating (e.g.
World Bank)
• Corruption index
• Criminality index
• Population satisfaction
rating
• History of strikes
1.1
1.2
1.3
Source: BCG example
Legal risks
Examples Pragmatic KRIs
• Export restrictions, tariffs
• Tax discrimination
• Labor policies
• Grants and subsidies
• Environmental regulation
• Tax rates
• Foreign relations
assessments
• Frequency of regulation
change
Infrastructural risks
Examples Pragmatic KRIs
• Power
• Transportation
• Telecommunication
• Infrastructure coverage and
quality rating
• Infrastructure investments
Environmental disasters / extreme weather
Examples Pragmatic KRIs
• Flood
• Earthquake, tsunami
• Tornado, hurricane, typhoon, monsoon,
blizzard, ice storm, hail
• Avalanche
• Drought, heat wave, wild fire
• Epidemic, famine
• Number of hazardous
geographical locations
• Past incidents of natural
disasters
Man-made disasters
Examples Pragmatic KRIs
• Accidents
• Fire
• Explosions
• Spillage
• Accident rates
• Dry zones
• GDP
Violent acts
Examples Pragmatic KRIs
• Military coup d'etat / Revolution
• Terrorist attack
• (Civil) War
• Vandalism
• Population satisfaction
rating
• Foreign relations
2.1
2.2
2.3
Geopolitical risks Catastrophe risks
high priority indicator
9. 9
Metric Type
Data
Source
Who will
update?
Update
Freq1 Scoring Logic
History of vendor approaching OEM for funds
(working capital/advance payment) in last
12 months
#
OEM
internal
data
Buyer 3
Red = > 2 times or greater than 10% of annual turnover
Yellow = Between 1-2 times or <10% of annual turnover
Green = 0
Current ratio (Current assets / Current
liabilities)
Ratio
Annual
report
Vendor
upgrade
team
12
Red = < 1
Yellow = between 1 & 1.5
Green = > 1.5
Short Term Credit rating (Crisil, D&B, Cibil,
CARE, ICRA)
Rating
Public
source
Vendor
upgrade
team
6
Rating by different agencies is clear in terms of high risk/ medium risk /
low risk
Interest coverage ratio (PBIT/Finance
charges)
Ratio
Annual
report
Vendor
upgrade
team
6
Red = <1.5
Yellow = between 1.5 and 2
Green = > 2
Is vendor paying his tier 2/3 vendors in
time?
Yes/No
Months
Feedback
from tier
2/3 supp
Central
source
6
Red = Tier 2/3 vendor has complained to OEM. Else,
Red = > 3 month delay
Yellow = Between 1 to 3 months
Green = < Less than 1 month
Is vendor paying employees in time?
Yes/No
Months
Supplier
audit
Buyer 3
Red = >1 month delay
Yellow = Between 2 week to 1 month delay
Green = < Less than 2 week
Is vendor maintaining adequate RM/ FG
inventory
Yes/No
Shortfall %
Supplier
audit
Buyer 3
Red = If shortfall > 50% of his expected inventory
Yellow = 25%-50%
Green = < 25%
Choice of payment cycle by vendor
10 /30
days
OEM
internal
data
Finance /
Buyer
6
Yellow = 10 day payment cycle
Green = 30 day payment cycle
...with agreed metrics and scoring system in place
Define hard & soft indicators;
objective and simple
1
Define how to capture the data
and the update frequency
2
Define uniform scoring logic which
can be codified for automation
3
Example: Liquidity risk
1. In months
5.3
10. 10
KRIs set to assess specific supplier risk...
For suppliers in high risk component categories
Geopolitical
risks
Catastrophe
risks
Market
risks
Strategic
risks
Financial
risks
Operational
risks
Sociopolitical risks
□Country risk rating
□Corruption index
□Criminality index
Environ. disasters
□Past incidents of
natural disasters
Macro-econ. devel.
□GDP (growth)
□Employment rate
□Inflation
□Gini index
SC structure
□# of alternative
suppliers
□Supply / demand
situation
Profitability
□EBIT
□Net profit margin
□Cash conversion cycle
Process / org. risks
□Infrastructure rating
Legal risks
□Tax rates
□Frequency of
regulation change
Man-made disasters
□Accidents
□Dry zones
Market price devel.
□Commodity indices for
major used
components
Industry concentr.
□Market share
□# of clients
Funding
□Current ratio
□Rating
□Debt / equity ratio
□RoE, RoA
Personnel risks
□Employee age
□Level of education
□# of labor unions
Infrastructural risks
□Infrastructure
coverage and quality
rating
□Infrastructure
investments
Violent acts
□Population
satisfaction rating
□Foreign relations
General strategy
□Image ranking
□Contract duration
Liquidity
□Credit lines
□Cash position
□Refunding rates
□Liabilities
□Liquidity plan
Technological risks
□Age of machinery
□Facility restoration
to be assessed for countries
in which supplier has production facilities
Source: BCG
to be assessed for supplier itself
12. 12
Detail risks by expected loss and manageability...
For high risk suppliers only
Low
High
HighLow
Expected loss
Medium
Medium
1.1
How easily can the risk be managed and
how costly is it?
• Can we reduce the probability
of occurrence?
• Can we reduce potential losses?
• What are the costs of implementing risk
mitigating measures?
• Which frequency is needed for measure
implementation?
• Which resources are required?
• What are monitoring costs?
Manageabilityofrisk
Manageability of risk
Risks
Actively manageTransfer/Hedge
Accept
Avoid exposure/
contingency plan
5.3 4.2
5.1
3.3
1.1
2.3
1.2
4.3
6.1
3.1
6.3
1.3 2.22.1
3.2
4.1
5.2
6.2
1. Risk factor coming from previous risk assessment; Expected impact (e.g. production downtime) to be assessed with OEM experience ; Source: BCG
Risk factor x expected impact1
Expected loss
Supplier 1
13. 13
...in order to develop concrete mitigation strategies
Actively manage
Reduction of
• probability of risk occurrence
• potential damage
Transfer / hedge
Transfer of risk to external third
parties
Company carries risks that cannot
be reasonably reduced
Accept
Avoid exposure/
contingency plan
High risk factor, but not
manageable
Source: BCG
Type of measure Description
1
2
3
4
• Help supplier reduce risk
• Keep inventory
• Insurance companies
• Multiple sourcing
• Prepare fall-back options (dual sourcing, stock
keeping,...)
• Coverage with liquidity and stock reserves
• Vertical integration
• Multiple sourcing
• Geographic diversity
• Avoid LCC countries / concentration
Sample mitigation actions
14. 14
Early warning systems use key trigger events
Checklist for early warning signs
Source: BCG
Geopolitical
risks
Catastrophe
risks
Market
risks
Strategic
risks
Financial
risks
Operational
risks
□ Political activities /
elections
□ Strikes
□ New legislation /
regulation
□ Major
infrastructural
failures (power
outings etc.)
□ Natural disasters
□ Major accidents
□ Riots
□ Price development
of commodity
markets
□ M&A activities
□ Bankruptcies
□ Major invest-
ments, new plant
openings
□ Volume problems
□ Profit problems
□ Liquidity problems
□ Change of payment
terms
□ Downgrading of
rating
□ Frequency of
complaints in
day-to-day
business
□ Major out-
placements
□ Quality problems
□ Management
changes at
supplier
15. 15
Technology: a great enabler of advanced approaches
Case Example: Digital control tower provides real time visibility for supplier risk mitigation plans
Source: BCG experience
• Event: Midwest Flooding 2013
• Level of Impact: High (3)
• Location: Midwest US
• # of Client Facilities Affected: 99
• # of Suppliers Affected: 1234
Situation
Digitally enabled view of impact and mitigation of supply chain disruptions
Caterpillar Assurance of Supply Center allows quick evaluation of impact of
unforeseen events and elaboration of mitigation plan
16. 16
Some best practices
Source: BCG
Need people who recognize risk management as part of their day-by-day-jobs
• Separate team or (better) integrated into buyer roles
• Dedicated capacities and IT systems
Need to link supplier risk management to overall supplier relationship management
• Supplier relationship management can go a long way in reducing supplier risk
Need to identify and constatnly challenge main drivers of supply chain risk
• A lot of factors seem to matter
• Takes time to identify those that really drive risk
Need to focus on taking action vs. assigning traffic lights
• Tendency to get caught in analysis
• Clearly defined process with timetable for completing each step helps to avoid
17. 17
"History will teach us nothing" ?
How failing to manage and monitor risk can be the difference between success and failure
In 2000 Royal Phillips Electronics, a major supplier of cellular phone chips, an industry
operating at capacity, experienced a factory fire
• Initial damage appeared minimal which Phillips communicated to suppliers
• After two weeks, Phillips realized it would take 6-8 weeks to fully resolve
Nokia responded quickly and effectively...
• Had a sophisticated disaster recovery plan: category manager noticed a problem prior to any
notification from Phillips
• Issue was quickly escalated to the executive level and cross functional emergency team was
set up
• The team was able to shift sourcing to other suppliers and other Phillips plants
• Production was minimally affected
... but Ericsson did not have a disaster recovery plan in place
• Ericsson did not act quickly, alerting the division president only after 5 months
• Ericsson was caught off guard when Phillips announced additional delays, causing operations
to stall
• Ericsson's mobile phone division suffered a $2.3B loss in 2000
(In contrast the damage to Phillips was less than $50M in lost revenue)
Source: Financial Time Press;Michelman 2005; Worldwide Mobile Handset and Subscriber Statistics 2003; BCG analysis
Nokia and Ericsson
market share ('98-'03)
0
10
20
30
40
Nokia
Ericsson
Market share (%)
'98 '99 '00 '01 '02 '03
Date of fire