Connecting the dots

Making the connection between risk and opportunities in procurement


October 2018


While you are reading this article, an innovative start-up – let’s call them New Way – is presenting their technology to a long-established industry player, let’s call them General Business. They were invited in by the production manager who thought their alternative bid solution was interesting. Their technology has the potential to simplify production lines, while also offering increased customer customisation. However, they are quickly disqualified in the process as the category manager aims for a “zero risk” supplier. Their solution does not meet the strictly defined functional specifications, they had insufficient financial guarantees and they did not have enough references. Yet, their solution would solve so many issues… Does this sound familiar?

In a parallel universe, General Business has a clearly defined risk tolerance that provides the category manager with the guidance, flexibility in processes and a true understanding of the risks, enabling him to take a chance with New Way. The General Business category manager has KPIs based on cost, optimisation improvements and avoiding unnecessary risk exposure. These push him to seek out opportunities and challenge the way that things are currently done. The new technology is selected for a trial location and its proof of concept works. It enables not merely an incremental improvement, but a true step change that propels General Business to be a leader in their segment.


In this article, we argue that there are at least four key issues in how procurement risks are typically managed:

  1. Lack of business overview
  2. Compliance layering
  3. Narrow procurement objectives
  4. Resource constraints

We recommend that you evaluate your procurement organisation’s approach to risk for:

  1. Alignment of risk management
  2. Flexibility of procurement policy
  3. Validity of the operating model
  4. Preparedness for impact

We typically suggest four first steps towards managing procurement risks to better support decision-making and the organisation’s goals:

  1. Setting risk tolerances
  2. Optimising resource allocation
  3. Preparing for crisis
  4. Procurement with impact

Where are the blind spots in procurement risk management today?

Lack of business overview

Procurement risks are usually left up to category managers to manage within their own immediate scope and knowledge area. Often, there is no organisation-wide guidance on risk appetite and tolerance to help a category manager, leading to a “better safe than sorry” approach. Furthermore, risks often have a narrow definition, e.g. lead time, capacity, financial stability, price movements and regulatory changes etc. However, procurement activities may play a part in managing risks, which are broader and organisation-wide, including brand damage and weak innovation. Typically, the lack of this broader perspective also relates to the question of who is responsible when a crisis actually hits – Procurement, Operations or even the CFO/ CEO?

Compliance layering

The knee-jerk response to any incident (whether faced by your own organisation or other industry players) is to reduce risk tolerance, increase standardisation and increase supplier compliance requirements. Procurement builds up a catalogue of requirements as a cover-all response to minimise any risk or uncertainty, rather than reassessing the severity of the various risks. This increases the compliance burden, both on the organisation and on suppliers, without adding overall value in addition to a false sense of security. Compliance layering can be compared to layering slices of Swiss cheese; specific issues can be covered each time, but the holes might line up by chance and this is where risks will still materialise. Reassessing the overall risk and compliance framework regularly not only minimises the administrative burden, it also ensures that there is a good understanding of the risks your organisation is exposed to.

Narrow procurement objectives

The three objectives of managing cost, quality and risk underpin procurement’s purpose. However, the role of procurement is often limited by the organisation to only focus on cost. This leads to a short-term cost focus as opposed to a “value or impact focus”. This limits the contribution suppliers can have on the business from a Total Value of Ownership (TVO), risk and innovation perspective. Due to the narrow focus, trade-offs are not fully understood, and decisions are based on incomplete information.

Resource constraints

Total visibility in supplier risk management is unlikely as procurement does not have endless resources to assess or audit second or third tier suppliers. A conscious decision must be made to focus resources on where they can have the largest impact. Furthermore, it is important to understand, record and track areas that are not currently managed, but may pose a threat in the future. Thus, providing a complete overview of your organisation’s risk exposure.

Outsourcing risk is impossible

In 1996, Life magazine published a story that changed the perception of Nike for at least the following decade. The article included a picture of a child stitching a football with a Nike logo on it. Nike pioneered outsourced manufacturing right from its first pair of running shoes in 1971. Nike, like other businesses at the time, thought that not owning factories meant that they had no responsibility for the production methods. They were wrong. In 1998, Founder and CEO Phil Knight admitted, “the Nike product has become synonymous with slave wages, forced overtime and arbitrary abuse.” It took a long time, but Nike bit the bullet in 2005 and took a USD 100m hit by recalling footballs that were being made by a Pakistani supplier in an unethical way and cancelling the supplier’s contract. The supplier went bankrupt and others took note. Nike was serious about their ethical standards and the company was not all bark and no bite. Nike has made a complete turnaround and is now often at the top of the list of most sustainable companies.

Does your company, like Nike in the 1990s, believe that “ignorance is bliss”? Or do you have a clear direction, defined procedures and responsibilities, clear statements and a clear understanding of what you need to do to appropriately mitigate these risks? Would you have had better damage control, or even have turned the crisis into an opportunity?

The court of public opinion is more informed, more interested and more active than ever before; being prepared is essential to maintaining trust.

Evaluate which areas to improve

Knowing where the typical blind spots are in organisations’ procurement risk management does not mean that they are wholly applicable to your organisation. Ask yourself the following questions to evaluate which areas you could improve:

Have you aligned your procurement risk management?

Do you communicate your organisation’s overall risk tolerance to the procurement organisation? This will allow your category managers to adjust their procurement approach accordingly. The procurement team has substantial influence over the organisation’s overall risk profile by controlling the supply base.

Is your procurement policy too rigid?

Review supplier policy and segmentation criteria based on the broader risk scope as well as the adjusted tolerance levels. Does your procurement policy provide enough guidance to manage risks, while maintaining the flexibility to make decisions quickly or to select innovative suppliers? Is the policy followed in practice and does it have the intended outcomes?

Do you have an appropriate operating model?

Evaluate your organisation’s procurement operating model for its ability to support your procurement strategy and objectives and the inherent risks that need to be addressed. This includes clear processes, protocols, governance and roles and responsibilities.

Are you risk aware or risk wary?

Accept that there cannot be zero risks in every area:

  • Look for relevant areas where you can share risks with suppliers and avoid the overpricing of risks or the sub-optimisation in how risks are mitigated.
  • Understand that there can be opportunities to be gained in areas where you are better positioned to take on the risks. Do not push risks on suppliers unnecessarily, as this may ultimately increase costs for you and exclude opportunities to partner with innovative suppliers that could enhance your relevance to your customers.
  • Ensure that preventive measures for key procurement risks are in place and integrated in the procurement process. But also know that some risks cannot be eliminated. For such risks, do not neglect the need to align requirements with business continuity and crisis management plans, should any significant procurement and supplier risks materialise.

What can you do to close the gaps?

Now, you have a better idea about your organisation’s blind spots. Here are some recommendations for closing gaps and getting started with joining up your organisation’s risk management approach.

1. What got you here, won’t get you there

Traditionally, risk management is built up of three activities: risk analysis, risk assessment and risk mitigation. We argue that there should be an explicit first step in communicating the level of risk tolerance linked to the organisational objectives, with consideration for the industry and external and internal conditions. Furthermore, due to our rapidly changing world, a broader perspective of potential risks is required.

2. Optimising use of resources

Whether from an organisational level or at a category level, reducing risks to zero is impractical, costly and will close the door to opportunities. The figure below shows that benefits from risk prevention decline when the level of risk tolerance is either too high or too low. Procurement resources should focus on high impact areas by:

  • Segmenting suppliers and categories
  • Optimising processes, be it through Lean process improvement, automation or digitalisation
  • Clarifying policies and roles
Illustration of the trade-off of risk and benefit.
3. Avoid being caught with your trousers down!

In your first response to a crisis, wouldn’t you rather be able to say, “the supplier operated outside of our agreed policies, we have cancelled their contract and we are taking the following steps to rectify the issues caused” than, “ we don’t know how this happened, but we will start an investigation…” Procurement can help you be prepared for a crisis through proactive risk management, supplier management and reliable data. Being prepared for a crisis will avoid panic, awkward PR moments and provide the space to fix the root cause. Organisations need to have a clear framework for crisis response, which is well-communicated. This includes:

  • Clear policies and processes for risk management
  • Defined roles and responsibilities, including escalation channels
  • Easy access to contracts and other supplier documents
  • Access to alternative suppliers
4. Procurement with impact

Empowering procurement through enterprise risk alignment provides the team with the necessary information and guidance to adjust their expertise and resources where it matters. Being focussed on what is important will ensure that the right information is available and applied when it is needed. Defining what “the right data” is for your team depends on internal and external factors that set your priorities. Ideally, you have easily accessible data that can be presented in auto-populated dashboards with minimal manual effort, however this is not always possible.

Procurement teams need to be provided with the tools and skills to manage risks effectively and with improved judgements on when opportunities may outweigh the risks. Risk management training is central to this, providing a common language, interpretation and a full understanding of the management options available.