The Red Flag Group®

Supply chain risk management


Is your supply chain risk management programme just a one-trick pony?

Have you looked back at how much time and money has been spent by your organisation chasing the ‘risk of the month’?

Most organisations have some form of supplier risk assessment or risk review process. You may be in the process of examining or building your programme now. But ask yourself, how much of that programme is built around a single regulation or handful of issues noted in your code of conduct?

I get it — a customer or new requirement was introduced in a country or region and you were forced to react. The engagement was complex, the value was apparent and the customer was happy. But the consequence is that you’re not looking behind you for what could trip you up next. You might be knocking this one requirement out of the park, but how much could focusing on that single issue cost your organisation? How far and wide does your supply chain risk management programme examine problems for your business?

Here are a few questions to ask yourself regarding the breadth and depth of your supply chain risk management programme:

  1. How much of your resource is focused on the data collection efforts for a single reporting obligation?
  2. Does your organisation tend to react to risk issues as they are revealed?
  3. Are you falling short on meeting all of your regulatory reporting obligations, customer commitments and code of conduct expectations?
  4. Does your organisation focus too much on hot-topic risks and short-lived regulations?

If you answered yes to any of these questions, you may want to think about refocusing your supply chain risk management programme to support your organisation against a broader and more consistent set of risk issues.

Supplier risk management is not a new concept. What’s new and gaining attention in the marketplace are the types of risk, the ways these risks can affect an organisation, and processes by which you manage and mitigate risk. Singularly focused risk assessments fail to take into account other integrity and reputational issues that might arise from the supply chain. Companies should approach risk assessments with a much broader view to identify risk signals ahead of time and gain greater visibility into the practices of suppliers.

Programmes must be more broadly focused than chasing down the requirements of a single regulation or customer request. In many cases, it’s a risk versus reward strategy. Low-cost-country sourcing and supply chain outsourcing can lead to bigger margins. But without proper controls, these supplier rationalisation programmes can lead to an increase in manufacturers’ exposure and vulnerability to the risk of supply chain disruptions.

Let’s examine how to properly build a holistic programme or improve an existing one that avoids the pitfall of a singular focus. The risk assessment is a crucial first step in building a broader supplier risk management programme that not only looks more broadly at risk but encompass the entire supplier life cycle and sourcing process.

Four steps to building a best-in-class supply chain risk management programme that looks more broadly at risks facing your organisation:

  1. Identify
    1. What risks are in your supply chain
    2. Which suppliers present the biggest potential for risk
  2. Collect
    1. Media and reports on businesses
    2. Questionnaires and supporting documentation on the supplier’s practices
  3. Evaluate
    1. Analyse the data collected and compare against expectations
    2. Assess the potential impact on your business — assign risk level
  4. Mitigate
    1. Document findings and audit trail
    2. Communicate corrective actions to suppliers


First, we must identify the risk landscape. We can’t simply spray the whole town to see what comes out red, we need to focus our attention to uncover risk issues. Budgets are decreasing, people are being asked to do more with less, and there aren’t enough resources to give every risk area or supplier the same amount of scrutiny. Early in the process, it is important to identify the key stakeholders in your company and have a multi-disciplined approach to risk management. This will help avoid tunnel vision and create accountability and transparency across the business.

There are lots of indicators out there to help your organisation identify risk issues that could affect your supply chain: industry research, country assessments, NGO reports, insight into other companies with similar supply chain practices. But as not all organisations can throw adequate resources behind all of these; we first need to identify the best way to understand the threats and tangible impacts to the organisation. Having been in-house and now looking at it from a provider’s perspective, I know companies are being penny wise and pound foolish when they try to go it alone. Through the support of a dedicated third-party risk expert, an organisation will be able to take their spending further, covering more risk areas and getting the recommendations of individuals who have assessed risk across several organisations in a variety of industries. Seeking third-party expertise or, at a minimum, programme oversight can help organisations broaden their scope and get out of the rut of trying to solve ‘the one big issue of the day’ first. The process can be done internally, but some organisations tend to grab hold of just one regulation, develop a programme or process to approach it, then call the programme a success. What happens when a risk hits you from outside the boundaries of your current programme?


Next, you need to look at which suppliers present the biggest potential for risk. How many of us just look at top spends of suppliers? Clearly, this is an important factor, and it also is important to understanding the supplier’s business. This goes back to the resources question of how can the organisation best support a review of every supplier’s individual business practices, something that is impractical in most situations. You can begin to understand a supplier’s business by conducting a first-level evaluation of their potential for risk. Look at their commodities categorically, then compare that to what your third-party risk expert can identify through research into industry, country, and general risk categories seen across the globe today. Some commodities simply have more potential for risk than others, particularly hazardous processes or labour-intensive manufacturing. Some suppliers might be in a category that presents only one risk area or little risk at all.

To understand an individual supplier’s potential for risk and what mitigation activities you must perform, you must understand the supplier’s existing compliance processes and policies. I’ve been working in supply chain risk and compliance for more than 10 years, and one thing I learned early on was to involve the suppliers in the process. Suppliers are the best sounding board to help identify what areas your programme should be focused on. Brief annual engagements provide a great way to understand the broader risk landscape from a supplier’s perspective. If all you ask of a supplier is to address a single issue, that’s all you’ll get.

Some organisations believe that questionnaires don’t provide much value and that the only effective process is to conduct on-site audits. While conducting on-site audits can generate epiphanies about the supply chain, they are very expensive and not needed in many situations. If your effort is to just focus on on-site audits, how would you select which suppliers are most important for audit? Should you employ a rotation process? Could the supplier you audited in year one have a negative impact in year two? And what do you focus your audits on? It is essential to keep a wide view of the risk universe when doing either off-site or on-site audits.

In years past, I supported an industry association in creating a validated audit process of suppliers. After having conducted these audits on-site for a few years, I began to realise that we were too focused on hot topics and missed several issues. The issues were missed because we didn’t first seek to identify the risk issues we should focus on and how best to collect information on those risk issues. Once we started discussing with suppliers the potential risk issues identified by outside organisations, others in the industry or governmental agencies, we gained a far better understanding of the supplier’s practices. In most cases, we found the suppliers were already thinking about these issues and how best to address them. We modified the supplier self-assessments to first focus on risk identification and learning more about the supplier’s cultural stance towards each issue. As a result, we gathered the same if not more information from the suppliers as we would have through hundreds of costly on-site audits.


Once you’ve collected all there is to know about a supplier and its risk profile, the real work begins. You start by analysing the data collected and comparing it against your code of conduct and customer and regulatory expectations. The value of this analysis is in understanding the potential risks to your business. Not every issue identified could affect your business, and the same issue identified from two different suppliers could affect your business in different ways.

I mentioned the value of a questionnaire, but the greater value comes in having a dialogue with the suppliers. When we open a dialogue with a supplier, we get to the real story. Involving the suppliers is never more important than during mitigation, determining why a change is important to your organisation. People outside the organisation and sometimes individuals within an organisation think they have the power to walk in and dictate to suppliers how they’ll run their business. Nearly any procurement representative will tell you this simply isn’t the case. Suppliers don’t always do as we ask, nor do they always have to. That’s why we need to make a reasonable approach at providing the supplier corrective actions that don’t outweigh the value of our relationship. Ideally, these corrective actions add value to our risk-reduction efforts.


We discussed some things you need to do to ensure that you’re not focused on the compliance issue of the month and building your entire supply chain risk management programme like a Hollywood set. If we first take the time to document the complete process and define what success looks like, companies will see far more efficient programmes. In my early years of corporate social responsibility risk reviews, I failed to clearly map out what I was going to execute throughout the annual campaign. Not only did this leave me narrow-minded, causing me to miss risk issues, but I couldn’t even define what success looked like for the one hot topic I was fixated on. I simply jumped in too quickly and attempted to knock it all out in one go. But that didn’t mean we don’t have good ideas. It means the results we’re driving towards are far less efficient because we’re not planning out deliverables.

The Red Flag Group has identified 30 risks under the umbrella of reputational and integrity risk in the supply chain. Risk can come from a variety of sources and affect your business in different ways, from regulatory infraction to reputational damage. We’ve developed a review process to help organisations get out in front of these risks and reduce the potential for negative impact. Don’t get stuck with a one-trick pony. Think broadly to avoid focusing on one area that may disappear from the regulatory landscape tomorrow. Address the risk issues that will be important for years, not months.


What is supply chain risk management?

Supply chain risk management (SCRM) is the application of risk management tools to manage the risks and uncertainties which can be caused by or may be affecting the resources or logistics in the supply chain. Due to globalisation, both outsourcing and the supply chain processes are getting longer and complicated.This leaves many companies exposed to risk.

The aim of supply chain risk management is to put strategies in place to reduce the vulnerability in the supply chain to ensure continuation in an event of disruptions.

Is supply chain risk management really necessary?

Supply chain risk management has become increasingly difficult as a result of globalisation, as it has become harder to trace where goods have originated from.

For example, a weapon manufacturer may use raw materials sourced from a supplier who had no idea that they were part of a complex supply chain and had no knowledge of their material’s final usage. This increases exposure to risks.

The process of supply chain risk management

Robust supply chain risk management processes are required to identify and manage the increasing number of supply chain risks.

The process involved in managing supply chain risks usually consists of four steps:

  • Identification
  • Assessment
  • Controlling
  • Monitoring

Identifying supply chain risks

The supply chain risk is the likelihood of an event occurring and the impact it will have on the business. The downside of using this method to analyse supply chain risk is that some risks, e.g. the possibility of a hurricane, can be difficult to predict.

It is advisable for companies to use cross-functional teams to create a comprehensive list of the risks the company faces.

Potential risks to the supply chain include:

1. Natural disaster threats, e.g. floods, hurricanes, earthquakes
2. Counterfeit products
3. Security
4. Product Integrity
5. Resilience
6. Geopolitical
7. Reputational, e.g. as the result of a trading partner engaging in bribery or money laundering
8. Financial, e.g. as the result of supplier bankruptcy or market volatility
9. Man-made risk such as fires or explosions

Whilst known risks can be identified and evaluated, other risks such as natural disasters or man-made risks can be far harder to calculate. For unknown risks such as the ash cloud in Iceland, it is more important to develop the ability of the supply chain to respond to risk rather than focusing on calculating the possibility of the risk occurring.


Contingency plans which may minimise the damage caused by risk include:

  1. Stock management
  2. Contingency insurance
  3. Risk assessments and audits
  4. Alternative sourcing arrangements
  5. Training programs
  6. Business intelligence
  7. Collaboration

Supply chain resilience

Because many supply chains are very complex, supply chain risk management may not be comprehensive enough to cover all eventualities. Consequently, supply chain management is often done in tandem with supply chain resilience.

Supply chain resilience focuses on the strengthening of the supply change so that it is capable to adapt itself to withstand unexpected events and to recover from them quickly whilst maintaining operations and control over function and structure.

Successful monitoring systems are designed to the needs of the organisation. They should incorporate early warning systems linked to the highest risks in order to give the company the maximum chance of mitigating or at least minimising their impact if they occur.