Assessing supplier risk is a part of implementing the 2015 version of the ISO standards, and is simply a part of best business practice. Suppliers can affect a company’s reputation, and/or its ability to meet customer requirements.
The easiest way to assess your risks from suppliers? A Supplier Risk Management Program.
Assessing Supplier Risk through a Supplier Risk Management Program
A Supplier Risk Management Program, or SRMP, is a formal way to
- evaluate, track, and measure your risk from third parties;
- assess the impact of your suppliers on all key aspects of your own business;
- develop controls to compensate or mitigate the impact on your business if something happens;
- gain consistency for managing your supplier base as a way to share information about them within your organization.
Your SRMP needs to reflect your internal controls, and it’s a tool to help you enforce them. It may involve regulatory or legal compliance, or it may not. It can be a system developed in-house, or it can be an off-the-shelf solution; so long as it helps you to achieve consistency on how you assess and interact with your suppliers.
Supplier Risk can be address Controls Risk, and/or Relationship Risk, and/or Business Profile Risk.
The easiest way to start a SRMP is to follow these six steps:
- Define: Determine which suppliers need to be managed through the SRMP. Does your office supply company need to be in the SRMP? The caterer? Depending on your industry, they may or may not be key to your success… A hotel may have the caterer as a key supplier, while a warehouse that occasionally orders pizza for the folks won’t.
- Segment: Separate your suppliers into segments – Strategic, Key, Sole Source, Scarce Resource; primary, secondary, tertiary; exposure to company, exposure to customers, regulatory exposure; or other segments that make sense to you. It’s important to understand what you are going to use to sort your suppliers into the segments.
Assess: For key, strategic,primary – in other words, “top” suppliers due to some factor, the organization should perform a formal risk assessment. This may encompass supplier financials/scores, business continuity plans, business continuity test results, information security plans, vendor management plans (for subcontractors), internal business requestor requirements, internal risk subject matter recommendations, or other assessments.
- Sustain: The organization needs to have the ability to manage and sustain the data collection. This means that information is regularly being requested, collected, or assessed.
- Assess: The data collected is used to make decisions for the organization – should the spend with this supplier be increased, decreased, or stay the same? Do we have a risk we need to mitigate, and if so, how? Decisions should be fact-based and data driven, and documented.
- Address: The organization needs to address any actions it is taking as a result of the assessment – identify alternate suppliers, working with existing suppliers, cutting some suppliers loose, etc.
By following this methodology, you can implement a strong Supplier Management System and help your organization in assessing supplier risk.