Companies tend to have supply chain risk management practices that are informal, ad hoc and siloed within functional divisions and they struggle to transform them into a more dynamic and coordinated effort. “The risk management activities at a majority of companies we encounter are functionally-driven with little or no internal integration,” acknowledges Erich L. Gampenrieder, KPMG’s Global Operations Advisory Lead. “But things are changing; in the last few years, we are seeing increasing demand from clients to integrate and work across supply chain processes and risk functions”.
“Many companies are now focusing on integrating their functional efforts, not only to optimize them, but also to aggregate them to obtain a more comprehensive picture of their risk exposure across the enterprise,” elaborates Niul Burton, EY Procurement Lead and Total Supplier Reliability Co-Lead. “More companies are asking for an integrated ‘single source of truth’ that captures and consolidates all sources of risk across the enterprise,” notes Graham J. Murphy, Third Party Risk Management Lead in KPMG’s US Risk Consulting practice.
As companies seek to integrate their risk activities, they need to consider and select among various organizational structures and operating models and different designs portend important tradeoffs for risk management. “Operating models range in degree of centralization, there is no one best model. Some firms centralize governance to establish consistent expectations, but then decentralize operations for engaging suppliers and managing risk in any number of functional areas to retain independent and agile local behavior,” observes Mathew Moog, EY Principal, US Third-Party Risk Management leader, Financial Services.
Further complicating the decision is cost. “Whether a company decides to implement a central dedicated risk management function is strongly dependent on the size of the company and whether it can justify the cost,” discerns Thomas Tapp of h&z Management Consulting Risk Management group. “In many medium size companies, management may decide it is not worth it and in these cases, while continuing to advocate for a central function, we embed risk management directly into the supply chain functions.”Another difficulty in establishing a centralized function it that there is no clear owner, much less a person in the company with a full understanding of the interconnectedness and cross functional risks across the entire enterprise. “Supply chain issues are broad and touch upon almost every aspect of a company’s operations. As such they require lots of different capabilities and competencies to effectively address the internal and external elements that make up the extended supply chain,” attests Greg Gerstenhaber, Bain’s Lead Partner of its Americas Supply Chain Practice.
While many larger, highly-regulated companies are well along the maturity curve and have put in place centralized, third-party risk management programs to comply with recent regulation, they are now seeking to make these programs more efficient and cost effective. As the Vice President of Third Party Lifecycle Management at a Global Financial Services Institution recounts: “After the financial crisis, new banking regulations prompted us to step up our third party risk management program. We scrambled to comply with regulation, actively engaging consultants to help us design and develop strategic frameworks for governance, compliance, reporting and even project management services to ramp these new programs. Having tested our systems through several rounds of regulatory scrutiny, we are now comfortable with our overall program design. And as we continue to push our program further out into our supplier ecosystem, our need is now pivoting towards making it more cost effective.”
Because the recent expansion of the risk management function has been so haphazard, many risk teams are sub-optimally utilized, exhibiting duplication of roles and inefficient allocation of tasks. “Thus the next frontier,” in the words of EY’s Niul Burton, “is to better and more accurately track spending on risk management activities to ensure that money is being spent wisely and efficiently.”
Naima Hoque Essing is the Senior Analyst, Lead for Risk Consulting Research where she oversees ALM Intelligence’s risk management consulting service lines.