Supplier Risk Assessment Guide

How To Perform A Supplier Risk Assessment

Without suppliers, your company isn’t able to provide the functions, goods, and services they need to succeed within the industry. Keeping your supply chain diverse helps you thrive even more, and may even provide you with a competitive advantage.

But, every vendor contract, all the components you purchase for the production line, and all operational necessities you outsource adds risk to your business. Unless you plan on not using any suppliers – which is next to impossible – that risk is unavoidable. No matter what industry you’re in and the nature of your business, there will always be a certain amount of operational risk to deal with. Third-party risk is always an issue, and certain businesses will present more of a risk than others.

Suppliers that don’t live up to your expectations can wreak havoc. For instance, recent reports from Soha Systems suggests that nearly ⅔ of data breaches are either indirectly or directly caused by a third-party fault. Though IT functions tend to garner most of the attention when it comes to supply risk, a missed shipment or faulty component can cost you just as much.

To counter the threat of these risks, organizations may use supplier risk assessments on their most important vendors for better supplier risk management, also known as vendor risk management. Though risk departments know the importance of these audits, supplier diversity teams may be less aware.

“Supplier risk refers to any inherent risk associated with third-party relationships that may affect a company’s profits or assets. Anything a company does carries a certain amount of risk. However, supplier risk assessments serve as an internal function to mitigate the risks as much as possible.”

Why Risk Can’t Be Eliminated

Supplier risk is inherent, your organization accepts some risk every time you work with a new vendor. No matter what you do, that risk cannot be eliminated, but you can take steps to manage it.

While some suppliers present more risk than others based on a variety of factors such as how essential they are to your business operations, how easily another supplier can replace them, and how much the risk can hurt you if something goes wrong.

The key to success is identifying and mitigating vendor risks before threats reach crisis level, which is why the supply risk assessment is such a vital part of selecting and managing vendors. These supplier assessments can also factor in supplier performance so that the companies in your supply chain who are serving your business will receive credit for a job well done.

How To Perform A Supplier Risk Assessment

A supplier risk assessment is an audit of the vendor’s processes, policies, and financial health. It determines how much risk working with the vendor poses to your organization. The risk management process can be broken down into six steps.

Step One: Identify the Vendors to Assess

Start by identifying the vendors that are most important to your success and/or present the most risk to your business, otherwise considered to be critical suppliers. These are the vendors who should be subject to a supplier risk assessment. This is a crucial step as the average business uses hundreds or even thousands of suppliers. At best, you’ll only be able to conduct these assessments on a small percentage of the total suppliers working with your organization, so you must make your choices wisely.

Step Two: Build Your Assessment

You must create an assessment you’ll use with the vendors. Generally this is a questionnaire format. You can create this on your own, a resource online, or by using supplier risk management software. Part of this involves examining the risks each of the suppliers pose to your business, the severity of that risk to your organization, and the likelihood of that risk happening and causing problems. For instance, if you work with a supplier that’s across the globe in an area of civil unrest, how likely would issues with the local government affect their ability to provide the products and services you require? How would you recover?

Typically, your assessment should address key areas such as:

  • Quality: How did you perform against your objectives over the past 12 months? How can you improve your program’s consistency and other aspects of what you’re already doing? What lessons have you learned?
  • Alignment: Does your company have a vendor risk management program that’s aligned with your business and its regulatory requirements? Have you considered changes in your business and new regulatory guidance?
  • Efficiency: Are you doing everything you can to keep your program within the resource constraints you have, while still maximizing the usefulness of those resources?
  • Veracity: Are you testing controls in an efficient way that makes sense? Are you testing the control execution risk where appropriate? Or, are you wasting resources with unnecessary testing?

You should use the questionnaire to find out more about the vendor’s policies, processes, and procedures so you can determine their residual risk. Don’t be afraid to ask for proof of the company’s standards in any areas of concern you may have. For example, you can ask for proof of professional licenses or certifications, reports for data centers, external audit reports and more.

The important thing is not to overwhelm vendors with too many items on the questionnaire. If it’s too long or asks obscure and freeform questions, it’s more likely that you’ll end up with incomplete and inaccurate responses. Keep things simple, standard, and objective, or tailor your questions to probe areas of concern on a supplier by supplier basis.

Step Three: Have the Suppliers Complete the Assessment

Suppliers should complete the assessment. In some situations, they may require your help to complete it. They may require multiple employees to answer questions, and they may require documentation.

Step Four: Examine and Analyze the Results

Once the vendor has completed the assessment, you’ll need to examine their answers and analyze the results. Take time to assign each of your vendors a risk rating based on the level of risk and the number of potential risks they pose to your business.

Your risk assessment process means you’ll need to evaluate the risks and decide on the appropriate risk management strategy to use to mitigate the risk. For instance, if your internet vendor is constantly having issues and you can’t guarantee connectivity from one moment to the next, but it is the only supplier available in your area, you may wish to purchase a mobile broadband hotspot that allows you to connect to your cell phone provider’s internet for use on your computer.

Step Five: Take Action Based on the Results

You’ll take action based on the results. This often is in the form of a request to the supplier to remedy any major concerns. In this step, you’ll need to pick your battles. Think about what level of risk the supplier poses that you can live with, along with what must absolutely be addressed.

In some cases, you may wish to ask for an on-site audit so you can understand more about how a vendor operates. This allows you to do a more in-depth evaluation, but isn’t always practical depending on your proximity to the vendor. Due to regulatory compliance issues, some vendors may be required to have an on-site audit, but you still may wish to consider extending that option to any other critical suppliers that are outside of that regulatory umbrella.

In rare cases, you may find that you need to completely remove the supplier from your list. When this happens, it’s important to get the procurement team working on securing a new supplier to replace them as soon as possible so as to minimize the impact of the switch on the business. Cutting ties with a supplier is less than ideal for either party, but may sometimes be required to protect your organization. This is especially true in high-risk situations where little to nothing can be done in terms of risk mitigation.

Step Six: Order More Assessments Periodically

Depending on the supplier and their risk profile, you may also choose to order more assessments on a more regular  basis – from multiple times per year to once every couple of years.

To ensure your business has the greatest chance of long-term success, you must do your due diligence when it comes to creating and maintaining supplier relationships. One of the best ways to do this is with a solid risk assessment and management strategy.

PurchaseControl makes performing supplier risk assessments easy.

Find Out How