Supply-Chain Sleuth

With a bit of digging you can overcome the challenges of assessing supplier reliability

Anyone who sells a product or service understands that the twin objectives – low costs plus high profits – equal good business. This equation has become an integral part of our entrepreneurial skin. When we begin to think about supplier reliability, we run head-on into that long established equation.


Changes over the past decade have made it increasingly challenging to meet our basic business objectives. Significantly lower labor costs in less developed parts of the world, combined with the power of the global internet, have contributed to the allure of outsourcing critical services to locations at great physical distance from the purchasing firm and made it common practice. In the race to maintain competitiveness, manufacturing supply chains have grown greatly in length and complexity. Very rarely does a firm control all of the links in its supply chain.

In a world of rapidly multiplying risks from global warming and civil unrest in its many forms, proactive management of supply chain risk seems only prudent. Written contracts can be useful mechanisms to clarify relationships, costs, and penalties, but once you contract with a supplier outside of your home country, your options for enforcing such a contract may be limited at best. Imagine the repercussions if your firm’s failure to adequately control a supplier’s quality culminated in a widely publicized business disaster. Considerable damage to the firm’s reputation could result in both loss of revenue and long-term depression of stock price.

Quality control incidents are escalating. The use of lead paint on children’s toys and melamine contamination of pet food and milk-based products are two recent, glaring examples. Such quality problems can occur even within the US, as with the contaminated peanut paste scare in 2009. These incidents can result in customer boycotts of all of the firm’s products, and long-term loss of customer confidence. For some companies, reputations take a devastating hit when some remote link in the supply chain is found to be using child labor or other unfair labor practices in the production of the contracted goods.

This article addresses a supplier risk governance approach that will help your organization actively manage these risks. You will learn how to collect, aggregate, and analyze data that can help mitigate your organization’s third-party dependency risks.

Knowledge is Power

Without appropriate data, we can work only from vague impressions and gut feelings. Risk governance is no different from any other process in its data needs. And so this approach begins with the collection of all pertinent data, aggregates it in meaningful ways, and then analyzes it. Your main objectives here are to create knowledge about suppliers and the risks they impose on the purchasing organization, and to support managerial decision-making that takes into account all relevant factors.

Collecting the Data

  1. Start by identifying your critical operations. This information should be available from your BIAs for each business function, possibly supported by additional interviews. Include any operation where anything more than a minor supplier incident can produce a material loss of revenue or a significant depression of stock value.

  2. Locate all existing contracts with your primary suppliers. Take note of contracts that have few protections for the buyer of products or services.  

  3. Contact each supplier for more information about their operations:  physical location(s) involved for your product or service, as well as the supplier’s subcontractors. What is each subcontractor’s business continuity capability?
  4. If someone has conducted a risk assessment for this supplier, locate it. Note any past measures (such as dual-sourcing) or compensatory measures (a supplemental power supply) and assess their historical benefits and costs.

  5. Locate all records documenting incidents with this supplier. Calculate the cumulative financial cost of these incidents for as many years as you have data.

  6. Collect all insurance policies that might provide benefits to you in the event of an operational interruption.

  7. If there is a written procedure for vetting third-party suppliers within your firm, locate it. If this procedure is not written down, talk to your purchasing and other contracting departments to find out what is the unwritten procedure.

  8. In terms of historical and potential impact to the organization, prioritize all suppliers as either MEDIUM, HIGH or CRITICAL. The financial values ascribed to each priority class will depend on the size of your organization and your degree of dependence on third-party suppliers.

If analyzing supplier dependency impacts is a new process for your organization, we recommend that you prototype this process by limiting your initial analysis to one or two clearly CRITICAL suppliers. This will allow you to minimize cost but still be able to demonstrate to your management the value of this process. As this process gains traction in your organization, you can then apply it to other critical suppliers, and adapt it to HIGH and MEDIUM suppliers.

Analyzing the Data

Analysis and aggregation of the collected information is the next step to understanding the specifics of any supplier risk profile. See Table 1.



1. Contracts

  • Read all contracts pertaining to this supplier. Look for SLAs, penalties for interruptions/incidents (including a contract “out” for exceeding defined interruption levels, fee reimbursements for delivery failures). Note any parts of the contract where your interests are not being served.
  • Design and document an “ideal” contract between your firm and this supplier.

2. Insurance

  • Carefully analyze your insurance coverage for a supply chain interruption or incident.
  • Speak with your insurance people or agent to understand what protection is available, and at what price.

3. Prior Interruption or Incident History

Analyze historical data to identify past interruptions or  incidents  from this supplier. You may also need to speak with representatives of business functions affected by each event.

4. Cost of Prior Incidents

Calculate the cumulative financial impact of incidents with this supplier over the term of the relationship (insofar as data are available).

5. Supplier Preparedness

Audit the supplier’s capability to withstand interruptions in its supply chain and at its premises, maintaining its capability to deliver what is promised in the contract. Consider the following tools:  site visits, audit reviews (especially SAS 70 certifications), assessment of recovery program maturity, and a review of incident history.

6. Existing Countermeasures

List in-place countermeasures (risk-mitigating and compensatory). Assess their effectiveness and calculate their ongoing costs.

7. Dependency Chain Mapping

  • Identify the chain of critical subcontractors to your supplier for your products/services.
  • Include physical locations and means of transport, if applicable.
  • Determine all single points of failure (location and process).
  • You may need to audit supplier and subcontractor premises and operations.
  • You may need to audit transport mechanisms or other supplier vendors.
  • You may need to audit supplier subcontractors.
  • These audits may need to be on-site.

Table 1

Presenting Your Results to Management

All of your work on data collection and analysis will be of little value if you don’t present it in terms that senior management can understand. This has been an ongoing problem with continuity and risk management efforts over the years, so take the time to carefully craft your results presentation using the steps shown in Table 2.



1. Analysis Summary

  • Describe the vulnerabilities (qualitative and quantitative) associated with the use of this supplier.
  • Describe the cumulative historical costs incurred with this supplier related to interruptions or incidents.
  • Describe the vulnerabilities and single points of failure within this supplier’s dependency chain.

2. Effective Countermeasures

Propose the use of risk-mitigating and compensatory countermeasures, including their annual cost. These are likely to include at least some of the following:

  • Re-negotiation of contracts with more favorable contract terms, including clarified escalation procedures and penalties for supply interruption, late delivery or poor quality, to include conditions for contract termination.
  • Contractual control over subcontractors to suppliers, if possible.
  • Two or more suppliers for the same product/service in different geographic areas.
  • Tested and reliable crisis management plans and processes.
  • Continuous active monitoring of suppliers, to include all single points of failure in the third-party dependency chains.
  • Continuous data collection of financial and operational impacts from each operational interruption or incident resulting from this supplier or its internal dependency chain.

3. Process Definition

  • Recommend the design, documentation, and implementation of a process that includes risk mitigation prior to negotiating and signing a contract with any critical supplier.
  • Recommend a list of other CRITICAL suppliers for which you believe the same kind of analysis would be useful.

Table 2

Special Challenges with Offshore Suppliers

Any firm should be aware of the potential problems that may result from cultural differences at offshore suppliers, including the following:

  • Immature civil law structures and jurisprudence may prevent the application of contractual terms.
  • The more complex the supply chain, the more uncontrolled single points of failure. The greater the number of offshore transport pathways subject to sabotage, strike, or civil disturbance, the greater the risk of disruption.
  • It is extremely difficult to counter culturally endemic corruption in an offshore location, and this can have serious impacts on product quality. Recent product contamination incidents have demonstrated how vulnerable manufacturers are to failures of offshore quality controls. Such incidents are likely to have both immediate and long-term serious financial consequences, and they are difficult and expensive to prevent.
  • It is more expensive to audit suppliers in other countries because of distance, and because offshore suppliers may not respect audits or contracts as much as your own country does.

Ever mindful of the fundamental drivers of competitiveness, the challenge for the risk manager is to design and execute a universally applied supplier risk governance process. That process must decrease the probability of an incident and minimize its potential impact without significantly affecting the cost of the product or service. Ideally, governance of supply chain risk becomes an embedded part of proactive management and protects the long-term competitiveness and value of the organization.

The clash of cultures between the contracting firm and its offshore suppliers will continue to engender quality control risks, as recent cases so vividly indicate. Firms should factor those risks into the competitiveness equation: low costs plus high profits plus supplier reliability equals sustainable business.

About the Author

Kathleen Lucey is the President of the BCI-USA Chapter and runs Montague Risk Management, a specialized consulting firm. She lives in New York City and can be reached at