How to Deal with Procurement Risks Effectively?
If you have read our articles dedicated to the importance of risk management in procurement and basic types of supply chain risks, then you should be wondering what the best ways to manage supply chain disruptions are.
Supply chain experts consider that the best way to manage a supply chain disruption is to prepare for it by identifying the potential risks within the supply chain and developing ways to mitigate them. Precoro team offers a number of techniques and tools that may be useful in helping you identify risks. You can adapt them to your current situation.
Expert knowledge relies on the experience of people who have worked on similar sourcing operations in the past. Interviews with individuals, stakeholders and experts are good methods to use to gather expert knowledge. Interviews with subject matter experts may uncover risks not previously considered.
You or your colleagues may have compiled a historical database of risks encountered in previous sourcing efforts and contracts. It will be useful if you organize this database by contract type and include a list of the problems encountered that can be identified as risks, their sources, and the events that precipitated them. Include also the mitigation plan put in place to deal with the risk, and the success of that mitigation plan if it was actually applied to an event. Records of previous contracts can also provide historical information. These records may be kept in a database, or they may be paper files. If you don’t currently have a process that captures historical risk information, you should consider developing one.
Another technique frequently noted is to identify risks and sources of risk by conducting a brainstorming session. Gather a group of subject matter experts who have an understanding of the nature of risk, including stakeholders and those who will not be directly affected by your activities as a way of maintaining relative objectivity. This activity will make it possible to create a broad list of potential risk events and their sources. You can then apply them to your specific conditions in order to refine the list.
Every contract has a product or service around which the contract is written. The nature of that product or service has a major effect on the risks identified. If the product has been successfully provided many times in the past, there will be a fewer unidentified risk and you will have a history of dealing with them.
After identifying and categorizing the risks, you must take steps to control the risks. The notion of control acknowledges that you may not be able to eliminate risk entirely in many situations. You may be able to minimize the risk or mitigate it by taking action to handle the unwanted outcome in an acceptable way. Options may also be available that will enable you to avoid the risk altogether or transfer the risk to your supplier when beneficial to both parties.
The approach or tool you use for control will largely depend on the stage in the contract where a risk appears and on the amount of information available regarding the source or impact of that risk. Regardless of the conditions, however, effective control requires a plan or at the very least an outline of actions we should be taking and the circumstances under which we should take them.
As you develop a plan, you must take into account the goal, scope, and objectives of the sourcing activity. You must clearly understand the product or service being provided, its purpose, and the expectations of the customer or stakeholders regarding the product. You also need to understand how the contract and its product support your organization’s strategic goals and business plans. This knowledge will help prioritize your activities.
A risk trigger can be defined as a “precursor to an actual risk event”. It lets you know a risk event may be about to occur. You should identify triggers for each significant risk, and you should monitor those triggers, being alert to their appearance as you manage a sourcing operation or contact.
For example, cost overruns on early activities may be a signal that cost estimates were poorly developed, and the contract is trending toward being over budget. The person responsible for monitoring the risk would be tracking the costs on those early activities. Cost overruns by a specific date would indicate that cost estimates should be reevaluated.
Monitoring includes tracking current conditions through reports or through physical access to the source. It also includes updated assessments of probability and consequences, as well as uncovering conditions that were not previously apparent.
You monitor risks to ensure that:
- Risk responses have been implemented as planned
- Risk responses are as effective as you expected them to be. If they aren’t, you may have to develop new responses.
- Any documented assumptions remain valid.
- Risk exposure has not changed from its prior state. If it has changed, additional analysis is needed.
- No risk trigger has occurred. If a trigger has occurred, contingency plans must be put in place.
- Proper policies and procedures are followed.
- No risks have occurred that were not previously identified. Again, if new risks have arisen, they must go through the same review and analysis process as previously identified risks.
Risk mitigation involves lessening the impact or magnitude of a risk event. You can do that by reducing the probability that the risk will occur, reducing the risk event’s impact, or both, to an acceptable level. One way to reduce the probability of a risk occurring is by using proven technology to lessen the chances that the product of the contract will not work. If the contracted service is a software application, you could elect to develop on a platform that you have used successfully in the past rather than on a platform with which you have little or no experience.
As you mitigate risks, you may end up trading one risk to another. For example, a buyer may choose to mitigate a cost risk by asking for a fixed-price contract, but that may cause a schedule risk if the contractor is not able to provide the service in the desired time frame for the fixed price.
The cost for risk mitigation should be in line with the probability and consequences of the risk. In other words, you’ll spend less time and money planning for risks with low probability and low impact than for risks with high probability and high impact. To aid decision making about risk reduction, you must take into account the cost of reducing the risk. We call “risk-leverage” the difference in risk exposure divided by the cost of reducing the risk.
A common method of mitigating the impact of a risk event is to develop a contingency plan in advance of the possible occurrence, usually shortly after the risk is identified. The purpose of this plan is to enable the sustained execution of mission-critical processes and information technology systems in the event of an extraordinary event that causes these systems to fail minimum requirements. The contingency plan will assess the needs and requirements so that your company may be prepared to respond to the event in order to efficiently regain operation of the systems that are made inoperable from the event.
The plan includes specific actions to be taken should a risk event occur, such as identifying an alternate source should the selected source become unable to meet its contractual obligations or a substitute part should the primary part become unavailable.
Eliminating the cause of the risk can sometimes remove a risk that you can specifically identify. For example, if the lack of skilled resources causes an identified risk, you can eliminate the risk by having the supplier hire the skills needed to perform the contracted services. Risk avoidance techniques also include reducing the scope of the contract to avoid high-risk elements, adding resources or time to the contract, avoiding suppliers or contractors with unproven track records, and using a proven approach instead of a new one.
You may choose to accept the consequences of the risk event. Risk assumption can be active, as in developing a contingency plan for execution should the risk event occur, or passive, as in deciding to deal with the risks and their consequences when or if they occur, but not planning for them in advance.
Transferring the risk occurs by allocating risks to other entities or by buying insurance to cover any financial loss should the risk become reality. In some situations, your supplier may be better suited to dealing with a particular risk, so transferring it through negotiations might be in order. There is a caveat, however: risk transfer may come with additional costs, such as the cost of insurance or an additional amount tacked on to the pricing by the supplier in order to be able to deal with the event should it occur.