Types of Risks

procurement Audit and risk management

Types of Risks

1. Strategic Risk

It is defined as risks that need to be considered in relation to medium and long-term goals and objectives of the organization. They include:

a) Political: risks associated with a failure to deliver policy for the entity that is served, or to meet the local administration’s policy commitments (e.g. a failure to integrate sustainability considerations into acquisition decisions), and the impact of social unrest, changes in government, and the potential for political turmoil at home or abroad

b) Economic: risks affecting the organization’s ability to meet its financial commitments (e.g. failing to consider the consequences of proposed major investment decisions prior to an acquisition; effects of inflation, recession, and foreign exchange rates).

c) Social: risks relating to the effects that changes in demographic, residential or socio-economic trends will have on the organization’s ability to deliver appropriate services (e.g. failure to procure sufficient elderly care provision for an aging population).

c) Technological: risks associated with the organization’s capacity to deal with the pace/scale of technological change or its ability to use technology to address changing demands (e.g. a failure to procure the appropriate software to allow for the efficient financial management of the authority; failure to manage and protect the security of the data).

d) Legislative/ Regulatory: risks associated with current or potential changes in law (e.g. a failure to address a legal directive).

e) Competitive: risks affecting the cost, quality, or competitiveness of a service (e.g. the failure to address a failing service through improvement, market testing, or outsourcing).

f) Customer/citizen: risks associated with the failure to meet the current or changing needs and expectations of customers and citizens (e.g. the demand to improve the availability of public transport).


2) Operational Risks

Operational risks arise from the functional, operational and administrative procedures by which organizational strategies are pursued. They relate primarily to an organization’s production or service delivery operations. According to CIPS (2012) the following are the main operational risk in procurement and supply chain:

  1. Contract failure
  2. Financial risks
  3. Quality failure
  4. Supply security
  5. Outsourcing and off shoring risk
  6. Technology and information risk

1. Contract failure

Contract management is, essentially, a form of risk management. It is designed to minimize the risk of loss or damage to the organization and its owners as a result of contract non-performance (or contract failure) and the risk of the organization having to curtail, or cease its activities owing to supply failure or disruption, lack of resources or breakdown in supplier relationships.

 Contract failure risk

Risks of contract failure arise from suppliers’ reliability and performance — and/or from the buyer’s contract, project and supplier management policies and practices. They refer to risks arising in the performance of a contract (or project) which:

  • Jeopardize its successful performance (e.g. causing cost blow-outs, schedule delays or breaches of contract) or
  • Create other risks for the organization and supply chain (e.g. poor cost management, or buyer non-payment, leading to supplier failure; or poor ethical conduct by the supplier leading to reputational damage for the buyer).

 Contract failure risks include factors such as:

  • The capacity and capability of prospective suppliers and/or contracted vendors
  • The percentage of supplier capacity utilized by the current contract and other customers (vulnerability to being over-stretched)
  • The likelihood of unanticipated demand (over-stretching capacity)
  • Supplier lead times for delivery and whether there is any ‘slack time’ or flexibility in the schedule
  • Supply risks affecting the supply chain or individual suppliers, and the effectiveness of risk management and contingency planning
  • The accuracy and clarity of specifications, contract terms and buyer expectations
  • Vulnerabilities in   supply   chain   quality   assurance   (especially   if tolerances are tight)
  • Accuracy of scheduling and forecasting
  • The quality, reliability and transparency of data shared between contract participants and stakeholders (supporting risk-managed decision-making)
  • Cost management; internal and external factors impacting on costs; and what price arrangements have been agreed (e.g. cost-plus or fixed- price contracts)
  • Project and contract management effectiveness, to monitor and manage all these elements!

 Legal risk

Legal, contract and related compliance risks may arise from factors such as the following.

  • Poor contract development and contracting processes: ambiguous terms, lack of adequate protections for contractual risks (ensuring that remedies are available); unenforceable terms (e.g. unlawful or unreasonable limitation of liability; penalty clauses instead of valid liquidated damages clauses); lack of supporting documentation (e.g. specifications, KPIs or service level agreements) to specify performance expectations; lack of supplier incentives to promote committed performance; lack of provision for dispute resolution, contract termination, transfer and so on
  • Unmanaged battle of the forms, so that there is ambiguity about which set of standard terms (supplier’s or buyer’s) governs the contract, or the set of standard terms used unfairly disadvantages one party
  • Poor contract administration and change control, e.g.: unauthorized or uncontrolled changes to contract; lack of version control; or lack of communication of contract changes to relevant stakeholders.
  • Lack of adequate protection of intellectual property, assigning and protecting rights of ownership (and license for usage) of documents, drawings, computer software and work specifically prepared or developed in performance of the contract, or used in the performance of the contract. Protections may be secured within the contract (using IP clauses), as well as statutory provisions (such. as registration of designs, patents, trademarks and copyright).
  • Issues of liability for losses from problems such as injury; economic loss, damage to property or legal claims arising from performance of the contract — and whether these are effectively shared with, or assigned to, the supplier.
  • Costs and relational damage arising from commercial or contractual disputes with suppliers. According to a research study (reported in Supply Management, 18 October 2007)’, only 12% of risk management policies have detailed information on how to resolve conflict. Meanwhile, commercial disputes cost businesses £33 billion per year.

Negotiation risks

Negotiations with suppliers have traditionally been carried out by means of a competitive win-lose approach. There is an inherent risk that, even if the buyer is successful in ‘winning’ the negotiation (obtaining the immediate, task-based price or deal improvement objective), the process; could damage the supplier’s commitment, the buyer’s status or reputation as a good customer, and the long- term buyer-supplier relationship all of which could lead to damaging consequences at a later date.

Other risks which might be identified as inherent in the negotiation progress can be summarized as follows.

  • The risk of ‘losing out’ from the negotiation, if a zero-sum or ‘win-lose’ approach is used
  • The risk that unacceptable or unfeasible concessions will be made, which will cause economic loss, conflict and other negative impacts if followed through.
  • The risk of reaching an impasse: not being able to reach a solution or agreement that is acceptable to both parties — and therefore wasting negotiation time and cost without ratifying or implementing an agreement
  • Adversarial relations with the other party, if the negotiations have been win-lose in style: this may have critical secondary risks (e.g. if key suppliers or employees are alienated or resentful, and co-operation is damaged)
  • Conflict or divergent tactics within a negotiating team undermining the bargaining position (and/or the acceptability of the result to internal stakeholders)
  • Ethical and reputational risk: e.g. if negotiating power is used for personal gain; or there is breach of confidentiality during or following negotiations
  • Compliance risk: e.g. if statutory procedures are not complied

The following are some measures to control and mitigate these risks.

  • Detailed pre-negotiation research (e.g. supplier appraisal, price research)
  • Careful position planning: establishing the ‘range of negotiation’ between best possible and worst acceptable outcomes, and having a prepared walk-away position (resistance point) and BATNA (best alternative to a negotiated agreement).
  • Making provision for third party mediation or arbitration; where negotiation is insufficient to resolve a deadlock .
  • The segmentation of supply relationships, in order to select appropriate negotiating approaches and styles: for example, a more integrative, problem-solving approach for suppliers of strategic or critical items
  • Rehearsals of negotiation tactics (especially by negotiating teams)
  • Ethical policies   and   awareness   programmes,   supporting   ethical negotiation
  • Pre- and post-negotiation stakeholder communication; in order to minimize the ride of failure to accept and ratify the resulting agreement
  • Evaluation, reporting and learning from negotiations, to improve performance next
  1. Financial Risks

Financial risks may be internal, arising from the organization’s own financial structures and transactions. Here are some examples.

  • Lack of price or cost analysis in setting or negotiating prices for a contract
  • Lack of budgetary and cost control and management through the life of the contract, leading to cost blow-guts and lost profits
  • Poorly designed or implemented financial controls and procurement or payment procedures, leading to the risk of financial fraud
  • Financial penalties incurred as a result of poor contracting, or contract non-compliance (e.g. interest on late payments to suppliers)
  • High capital investment in a contract or project, accompanied by inadequate investment appraisal, lacy of whole-life costing, or high costs of loan finance
  • Lack of liquidity: lack of provision (through cash flow and asset management) to have adequate cash (or, assets such as stock and debtors which can be quickly converted to cash) available to cover short-term liabilities
  • A poor credit rating, based on credit performance and financial strength, making it difficult or costly to ‘ obtain credit and/or loan finance.

Financial risks may also be external; resulting from factors such as:

  • Macro-economic factors, such as: business cycles (e.g. economic recession, creating low demand, poor credit availability, and supplier instability); fluctuating commodities prices; availability and costs of finance (interest rates); and fluctuating exchange rates (in international transactions)
  • The financial strength, stability and general ‘health’ of suppliers: the risk of their suffering credit problems (limiting their access to short- or long-term finance to cover their liabilities or invest in development) or cash flow problems (affecting their ability to maintain operations and supply, by paying their own employees and suppliers); and — most critically — the risk of supplier insolvency and failure.

Exchange Risk

As an importer or exporter, you will find yourself exposed to foreign exchange risk arising from your need to either buy or sell currency relating to a trade transaction. Movements in exchange rates can work in your favour and enhance profitability but, equally, they can have the opposite effect and seriously erode profit margins or lead to a loss.

The exporter loses money if the currency s/he is paid in falls against the local currency, while the importer will have to pay the overseas supplier more if their currency rises against the local one. Hedging covers the trader against any risk of loss by ensuring that they pay or receive the equivalent of the amount originally expected. The mechanisms of hedging are called derivatives, which allow a trader to cover the risks of price and currency fluctuations.

Types of Foreign Exchange Risks

There are three types of risks associated with foreign exchange:

  • Transaction risk – This is the risk of an exchange rate change on transaction date and the subsequent settlement date, i.e., it is the gain or loss arising on conversion.
  • Economic risk – Transactions depend on relatively short-term cash flow effects. However, economic exposure encompasses the longer-term effects on the market value of a Simply put, it is a change in the present value of the future after-tax cash-flows for exchange rate changes.
  • Translation risk – The financial statements are usually translated into the home currency to consolidate into the group’s financial statements. It can pose a challenge when exchange rates change.

There are a number of ways of managing exchange rate risk.

Internal techniques to manage/reduce forex exposure include the following:

  • Invoice in Home Currency – The purchaser might be able to transfer the risk to the suppliers, by getting them to quote prices in sterling. (This might be a tough negotiation, unless the. purchaser has strong power in the relationship, or can offer concessions in exchange.)
  • Leading and Lagging – If an importer (payment) expects that the currency it is due to pay will depreciate, it may attempt to delay payment. This may be achieved by agreement or by exceeding credit terms. If an exporter (receipt) expects that the currency it is due to receive will depreciate over the next three months, it may try to obtain payment immediately. This may be achieved by offering a discount for immediate payment. The problem lies in guessing which way the exchange rate will move.
  • Matching – If receipts and payments are in the same currency and are due at the same time, matching them against each other is a good policy. However, the only requirement is to deal with the forex markets for the unmatched portion of the total transactions. Also, setting up a foreign currency bank account is an extension of matching.
  • Re-negotiation– If fluctuations are not extreme, it may be possible to estimate the rate that will apply at the time of payment, and negotiate prices accordingly (perhaps with a contract provision that prices will be re-negotiated if the exchange rate fluctuates by a stated Percentage or reaches a stated rate).
  • Paying at the time of contract-It may be possible to agree to pay for the goods at the time of contract (i.e. at today’s known exchange rate), without waiting for later delivery. This is an example of a technique called ‘leading’ (making payment in advance of the due date to take advantage of a positive exchange rate): note, however, that it creates an additional risk for the buyer. A similar technique is ‘lagging’ (making a payment later than the due date, to take advantage of exchange rate improvements): again, note that this is at the expense of the supplier, and raises ethical, reputational and relationship risks.
  • Currency management tools-Another approach would be to use one of the available tools of currency management, such as a forward exchange contract,’ which enable the importer to ‘hedge’ the Under this arrangement, the organization contracts now to purchase the overseas currency at a stated future date, at a rate of exchange agreed now. For example, the importer might enter a forward exchange contract on Day 1, agreeing to purchase $1m on Day 60 in order to pay its US supplier. The cost of the U5 dollars will be fixed by the bank on Day 1, the rate being determined by market conditions and expectations of future exchange rate movements. There is a cost to doing this, but for the buyer, the uncertainty is removed: it knows on Day 1 exactly how much its purchase will cost.
  • Local sourcing– If exchange rate risks are severe, a purchaser may have to consider temporarily sourcing from the domestic market, from a single currency market such as the EU, or from other markets with less volatile currencies.
  • Doing Nothing – The theory suggests that long-term gains and losses gets hedged Short-term losses may be significant in such processes. Advantage is the savings in transaction costs.

Credit Risk

Credit risk is the risk that a customer will be unwilling or unable to pay 4mounts that it owes to a supplying organization, disrupting the creditor’s planned cash flow. This can be a high-impact risk if it concerns a major customer and/or a large amount, and if the supplying firm relies on the cash flow.

Here are some of the mitigating measures for credit risk.

  • Due diligence: the process of gathering information prior to entering into a contract, in order to identify risks which would render it undesirable. In this case, due diligence might involve customer ‘screening and the collection of credit reports or references prior to entering into agreements.
  • Credit limits set and enforced (e.g. by the order processing and invoicing systems, and order authorizations)
  • Credit control procedures: reporting on ‘aged’ and overdue debtors, chasing payment (debt collection and applying-contractual penalties (interest on late payment, withholding of further deliveries in pursuit of settlement and so on)

Supplier Financial Instability

The risks of a supplier encountering financial difficulty particularly suppliers of critical items or strategic supply partners is a major focus of contract and supplier management. A variety of tools is available for monitoring and assessing the financial stability and strength of prospective suppliers and existing vendors (in order to minimize the risk of their unexpectedly going bust and disrupting supply).

Sources of financial information about suppliers

  • Their published financial statements and accounts: balance sheet, profit and loss account and cash flow statements .
  • Secondary data on markets and suppliers for example, analysis of financial statements and results in the business or trade press (and their websites); or published or bespoke financial reports by research agencies such as Dun & Bradstreet or Data Monitor
  • Credit rating companies, which, for a fee, will provide information on the credit status of a supplier
  • Networking with other buyers who use the same suppliers
  • Inviting the supplier’s financial director to make a presentation on its current and predicted financial position to procurement and finance managers. This may only be worth doing for major or strategic suppliers and a prospective (or current) strategic supplier should not decline the invitation

Signs of a supplier facing financial difficulties

  • Low profits
  • High debt levels
  • Have no working capital
  • Rapid deterioration in delivery and quality performance
  • Senior managers leaving the business within a short period of time
  • Changes in the auditors and bankers of the firm
  • Adverse press reports
  • Very slow responses to requests for information
  • Problems in the supply chain (and/or changes in subcontractors)
  • Chasing payment before it is due

Mitigating measures against supplier financial difficulty (cash flow problems) include:

  • Due diligence in regard to supplier financial stability and performance prior to contract award
  • Monitoring of financial ratios and indicators over the life of the contract
  • Setting financial benchmarks, with a contractual requirement to trigger early notification by the supplier if benchmark criteria are not met
  • Monitoring and notification requirements for key contingent factors (such as labour disputes, political unrest or commodity and input cost rises)
  • Prompt or early payment of supplier invoices (especially for SME suppliers, for whom cash flow may be an acute issue) — and encouraging first-tier suppliers to do the same with lower-tier suppliers (who are often SMEs)
  • Assisting key suppliers with loans of finance or assets, staged payments, financial management advice or other supplier development

  1. Quality Failure

For a buying organization looking to buy materials, components or other supplies in a commercial setting and for a marketing organization looking to satisfy the quality expectations of customers and consumers the most important definitions of ‘right quality’ (and the most clear-cut from a risk management point of view) are likely to be:

  • Fitness for purpose or use: that is, the extent to which a product does what it is designed and expected to do; or, more generally, the extent to which it meets the customer’s needs. The British Standards definition of quality is: ‘the totality of features and characteristics of a product or service that bear on its ability to satisfy a given need. ‘
  • Conformance to requirement or specification: that is, the product matches the features, attributes, performance and standards set out in the specification. Conformance therefore also implies lack of detects, and therefore reflects on the quality of the producer’s processes.
  • Comparative excellence: how favorably a product is measured against competitive benchmarks (other products), best practice or standards of excellence – which adds an element of marketing, brand and reputational risk.

It should be fairly obvious that most organizations will seek to maintain the quality of their offerings to their customers, in order to:

  • Differentiate their products advantageously in relation to their competitors. The ability to offer consistently high quality may be an important source of competitive advantage for the organization: managing strategic’ and marketing risk.
  • Position their brands in the market as ‘quality’ brands, enhancing corporate reputation and branding (and therefore building in resilience in the face of reputational risks)
  • Develop customer retention and loyalty (again, building resilience in the face of reputational, economic and marketing risks) and manage the downside risks of poor quality (lost customers, negative ‘word of mouth’ about the brand )
  • Comply with law and regulation (e.g. in regard to the safety and satisfactory quality of goods) – minimizing legal and compliance risks
  • Avoid the financial and reputational costs of product recalls, returns and customer compensation, as a result of poor quality.

By extension, it is important for an organization to manage the quality of its specifications, suppliers and supply chains – and therefore of its materials, components and supplies – in order to maintain the quality of its offering to customers. The quality of the inputs to an organization’s goods and services will naturally affect the quality of its outputs.

Costs of quality failure

The costs of quality failure can be divided into two categories: internal and external failure costs.

Internal failure costs are those that arise from quality failure, where the problem is identified and corrected before the finished product or service reaches the customer. Here are some examples.

  • Loss or reworking of faulty items discovered during the production or inspection process Scrapping of defective products that cannot be repaired, used or sold
  • Re-inspection of products that have been reworked or corrected .
  • ‘Downgrading’ of products (to lower quality grades) at lower prices, resulting in lost sales income.
  • Waste incurred in holding contingency stocks (to allow for scrapped work and delays), providing additional storage and duplicating work.
  • Time and cost of activities required to establish the causes of the failure (failure analysis)

External failure costs are those that arise from quality failure identified and corrected after the finished product or service reaches the customer. Here are some examples.

  • Costs of ‘reverse logistics’ to collect and/or handle returned products
  • Costs of repairing or replacing defective products (which may be returned by the customer, or require servicing at the customer’s location), or re-doing of inadequate services
  • The cost of customer claims for compensation under guarantees or warranties, or where the company is liable for negligence (if the customer has been injured or subjected to lops arising from defective goods or services). Quality is a key source of compliance risk, since consumer protection legislation (et; the Consumer Protection Act 1987) imposes strict liability on manufacturers whose defective products cause damage or loss to consumers (regardless of whether negligence is involved).
  • The administration costs of handling complaints, processing refunds and so on
  • The cost of lost customer loyalty and future sales
  • Reputational damage arising from word-of-mouth by dissatisfied customers, poor product reviews and/or publicity (e.g. about product recalls)

Since the costs of ‘getting it wrong’ are generally perceived as being higher (and further-reaching) than the costs of ‘getting it right’, there has generally been an increased emphasis on quality management, with the aim of ‘getting it right first time’.

Approaches to managing quality failure risk

Techniques for managing quality risk generally fall into two basic categories or approaches: quality control (QC) and quality assurance (QA). ‘

Systems for the detection and correction of defects are known as quality control. This is an essentially reactive approach, focusing on:

  1. Establishing specifications, standards and tolerances (parameters within which items can vary and still be considered acceptable) for Work inputs and outputs
  2. Inspecting delivered goods and monitoring production processes, often on a ‘sampling’ basis (although ‘100% inspection may be used on critical features, or where zero defects are required).
  3. Identifying items that are defective or do not meet specification
  4. Scrapping or re-working items that do not pass inspection – and passing acceptable items on to the next stage of the

You May already he able to see that a quality control approach, based on inspection, has certain limitations for risk management:

  • A very large number of items must he inspected to prevent defective items from reaching production processes or end customers. W Edwards Deming argued that this ties up resources — and does not add value (or indeed ‘improve’ quality).
  • Defective items may slip through without being spotted for even inspected, in unacceptable numbers, owing to budget and schedule pressures (especially if the buyer is operating a strategy of just in time supply).
  • The process aims to identify and reject defective items once they have already been made. By this time, however, they may already have incurred significant — wasted — costs (of design, raw materials, processing, overheads and so on). You are ‘locking the door after the horse has bolted’.
  • Inspection activity tends to be duplicated at each stage of the supply process magnifying the inefficiencies and Systems for the proactive prevention of defects are known as quality assurance. This is a more proactive and integrated approach to quality risk management, building quality into every stage of the process from concept and specification onward. It includes the full range of systematic activities used within a quality management system to ‘assure’ or give the organization adequate confidence that items and processes will fulfill its quality requirements. In other words, quality assurance is a matter of ‘building in quality’ or `weeding out defects’.

From a procurement and supply chain management point of view, you are seeking to ensure that your buying processes, and your supply chain’s quality management processes, work together to prevent defective products or materials ever being delivered.

Quality assurance programmes may build quality measures and controls into:

  • Product designs
  • The drawing up of materials specifications and contracts
  • The evaluation, selection, approval and certification of suppliers
  • Communication with suppliers, feedback mechanisms and quality record-keeping
  • Supplier training and development (where required to integrate the two organizations’ quality – standards and systems)
  • Education, training, motivation and management of employees and suppliers to maintain required levels of performance.

All this would normally be in addition to inspection, sampling, testing and other quality-control technique.

Quality management

The term quality management is given to the various processes used to ensure that quality inputs and outputs are secured: that products and services are fit for purpose and conform to specification; and that continuous quality improvements are obtained overtime. Quality management thus includes both quality control and quality assurance.

A quality management system (QMS) can be defined as: ‘A set of coordinated activities to direct and control an organization in order to continually improve the effectiveness and efficiency of its performance.

The main purpose of a QMS is to define and manage processes for systematic quality assurance.

AQMS is designed to ensure that:

  • An organization’s customers can have confidence in. it’s ‘ability reliably to deliver products and services which meet their needs and expectations.
  • The organization’s quality objectives are consistently and efficiently achieved, through improved process control and reduced wastage.
  • Staff competence, training and morale are enhanced, through clear expectations and process requirements
  • Quality gains, once achieved, are maintained over time: learning and good practices do not for lack of documentation, adoption and consistency

There are several British and international standards for measuring and certifying quality management systems of various types, including the ISO 9000 standard. Organizations can use the framework to plan or evaluate their own QMS, or can seek third party assessment and accreditation.

Total quality management

The term total quality management (TQM) is used to refer to, a radical approach to quality management, as a business philosophy. TQM is an orientation to quality in which quality values and aspirations are applied to the management of all resources and relationships within the firm and throughout the supply chain in order to seek continuous improvement and excellence in all aspects of performance.

Service quality risk

The management of service quality risk is recognized as a more complex process, owing to the intangibility and variability of service provision, and the subjective element of customer expectations and perceptions. Zeithaml, Parasuraman & Berry argue that the quality of a given service is the outcome of an evaluation process by which buyers compare what they expected to receive with what they perceive that they have actually received. The SERVQUAL model suggests that there are five distinct areas which might help buyers and suppliers to understand apparent quality gaps between expectation and delivery which represent points of risk for quality management: Table below



Gap between buyer and  supplier perceptions             of quality The supplier definitions of quality may not be the same as the buyers. Buyer and supplier will need to work together to develop mutual understanding of the requirement,       using service    specifications


and  service level agreements
Gap between concept and specifications Resource constraint or poor specifications skills may mean that the buyers needs or the supplier service concept are not translated fully or accurately into service specifications Buyers will need to co- operate with users and suppliers to develop service specifications which accurately reflect their needs and expectations and the suppliers best capabilities
Gap between specification and performance Specifications  and service level agreements do not translate into actual service levels (e.g. because of operational failures) The buyer will have to pre-evaluate the supplier capability and capacity to deliver (e.g. getting references from other customers using pilot programmes prior to contract etc.)
Gap between communication and performance The supplier communications  may create inaccurate quality expectations Buyers will need to verify information provided by service providers
Gap between buyer expectation and perceived service What buyers or users perceive they have may fall short of what they expected. Buyers will need to manage  user expectations  and perceptions and specify service performance against    objective measures where possible.

  1. Supply Risk and Security of Supply Supply Risk

Supply risk’ is the risk associated with an organization’s suppliers being unable to supply, or supplying goods of inadequate quality. Securing supply is a basic function of the procurement and supply chain management function.

Key Supply Risk Factors

  1. Inadequate buyer-side processes for supplier evaluation, appraisal and selection processes (e.g. pre-qualification of suppliers for tender)
  2. Inadequate buyer-side and supplier-side processes for contract and performance management (e.g. poorly developed contract terms, KPIs, contract performance monitoring, supplier motivation and incentives, problem-solving and so on)
  3. Unanticipated levels of demand, exacerbated by poor demand forecasting and management, lack of data sharing and communication, lack of capacity assessment in supplier selection and so on
  4. Unanticipated materials shortages or price fluctuations due to environmental factors.
  5. Unmanaged performance issues (such as quality problems or delivery delays)
  6. Excessively ‘lean’ supply chains, with little provision for buffer or safety stock to enable the supply chain to absorb disruptions or extra demands
  7. Inadequate provisions for the physical security of supplies and stocks (both in transit and in storage), leaving them open to the risk of piracy, hijacking, theft or pilferage; tampering, contamination or sabotage; damage and deterioration
  8. Natural or human-caused disasters, such as flood, fire or explosion, affecting supplier plant or logistic: services
  9. Market risks, such as industrial action, financial instability (e.g. cash flow problems) or business failures among suppliers
  10. Commodity risk, such as the impact of political instability on the price of oil or gas, or the growth in competing demand for commodities from emerging economies
  11. Transportation risk, including delays, disruption of transport routes due to weather, congestion or political instability
  12. Lack of lesson-learning and continuous improvement, as risks is identified.


Supply Risk Mitigation Approaches.

  1. Supplier evaluation and selection: careful supplier evaluation, pre- qualification and selection (in ‘regard to technical capability, capacity, compatibility and so on); and ratio analysis and financial monitoring of suppliers (to ensure financial stability)
  2. Supply chain management: multiple or back-up sourcing; supplier monitoring, performance management (against defined KPIs) and contract management; supply chain information flows, risk visibility and ‘collaborative demand management; contingency planning for supplier failure (and other supply risks); the application of technology for exception reporting (on schedule, cost and quality deviations); the development of agile (responsive) and resilient supply chains; and so on.
  3. Demand and inventory management: e.g. appropriate levels of buffer or safety stock to cover supply ‘delays or disruptions
  4. Logistics management: e.g. transport risk assessment, insurances and contingency or back-up appropriate packaging, storage, transport mode planning and other measures to ensure the security and integrity of supplies in transit.
  5. Contract development and management using contractual terms to transfer or share risk and liability with the supplier; the use of force majeure clauses to mitigate liability for events beyond either party’s control; the use of intellectual property protection and confidentiality clauses; monitoring and management of contract performance; and so
  6. Insurances for a range of insurable risks

Contractual provisions to be included in a contract between a buyer and supplier to minimize supply risk:

  • Indemnity & liability clauses, – indemnity clause as an undertaking by a supplier to accept liability for any loss arising from events in the performance of the contract and that it will make good the loss to the injured party or parties. Therefore, primary liability is assigned by the buyer to the supplier. An indemnity clause might include a responsibility to pay any costs, such as rectification costs, to make good any loss or damage to buyer property, as a result of negligent or defective work, or any injury to buyer staff, customers or third parties.
  • Testing inspection and acceptance clauses- Inspection and testing clauses may be used to stipulate:

That the buyer is not legally bound to accept delivery of goods (which may imply the transfer of possession, title and risk) before inspection and/or testing of the goods to ascertain that they conform to specification and are fit for purpose

That the buyer is to be allowed a reasonable time to inspect and test incoming goods.

A related acceptance clause may stipulate the right of the buyer to reject goods for various reasons, such as quality defects or lateness of delivery (i.e. stating that ‘time is of the essence’ of the contract).

  • Liquidated damages- A liquidated damages clause is used to guarantee the buyer damages against losses arising from a supplier’s late or unsatisfactory completion of a contract and to motivate the supplier to perform the Such clauses are often used in p large contracts (e.g. for construction works or capital equipment).
  • Use of model form contracts- Model form contracts are published by third party experts (such as trade associations and professional bodies), incorporating standard practice in contracting for specific purposes within specific industries, and ensuring a fair balance of contractual rights and responsibilities for buyer and seller. They are often used in particular- industries to establish conditions of contract between buyer and seller which become an acceptable and familiar commercial and legal basis upon which business is usually conducted.
  • Work-scope obligations and expectations,
  • Contract management and risk management provisions.

Security Risks

In any business or supply chain, there are likely to be significant security risks to supplies and stocks (whether in storage or in transit), arising from factors such as: unauthorized access; tampering, sabotage or vandalism; theft, shoplifting (in retail settings) and pilferage; robberies, hold-ups and hijackings; and industrial espionage.

In addition, businesses are increasingly faced with security risks to personnel, especially in developing countries and politically unstable markets. These include robbery and hijacking, kidnap and ransom, politically-motivated kidnapping and murder, and the risk of personnel being caught up in civil or political unrest, war and terrorist activity.

A range of security measures will be required: some on an ongoing basis and some only occasionally (which presents an argument for outsourcing or contracting to third party service providers, as discussed in Chapter 8). You should be able to identify a range of basic security measures, including deterrent measures, observation and monitoring, physical barriers and warning systems or alarms. These may include:

  • Clear signage warning of security measures in place
  • Security fences, grilles, doors, locked storage areas, clear (and well lit) perimeter zones and so on and protocols for ensuring that they are effectively utilized
  • The use of security guards stationed at (or patrolling) vulnerable areas
  • Identification cards, security codes and passes, reception security, sign-in protocols and other methods of ensuring that access is limited to authorized personnel
  • Security protocols supported by staff information and training (e.g. end- of-day procedures, pairing of staff when transporting cash, varying of cash transport routes, confidentiality policies) and technology (e.g. use of EPOS, CCTV monitoring, unauthorized entry alarms)
  • Protections against natural threats to premises (e.g. fire and flooding): prevention protocols and provisions (e.g. fire doors, alarms, sprinklers), warning systems, tested emergency response procedure
  • Reporting, recording and reviewing all security breaches and incidents, to assess ongoing vulnerabilities.


Supply chain relationship risks

A further key category of business and supply risk is the nature, structure and management of relationships with suppliers. Different risks attach to different types of relationship, sourcing approaches and supply chain configuration decisions. Here are some situations giving rise to particular risks.

  • Sole sourcing arrangements (where there is only one supplier available in the supply market) and single sourcing arrangements (where the organization chooses to use only one supplier for a given requirement) because of the extent of the buyer’s dependency on one supplier, and vulnerability to risks of supplier (and possibly therefore supply chain) failure, complacency or leverage.
  • Outsourcing arrangements — because the organization is effectively replacing its own assets, resources, knowledge and competencies with those of an external contractor, perhaps rendering itself vulnerable to reputational, performance and marketing risk by having the contractor deliver services to customers on its There may also be risks related to loss of control, intellectual Property and confidential data sharing.
  • Long-term partnership relations — because the organization is effectively locked to a long-term collaborative relationship with a partner who may turn out to be under-performing, incompatible, strategically divergent and/or complacent (in-the absence of competition, or continuous improvement agreements). The potential value of partnership may not be realized or may be lost as internal and external changes erode its rationale. Collaboration may itself pose risks to confidential data and/or intellectual property.
  • Supplier tiering (an approach to structuring the supply chain whereby the buying organization develops partnership relations with a few lead providers or ‘first tier’ suppliers, take responsibility for managing the lower levels or tiers of the supply chain) because of the ‘distance’ this causes between the buyer and lower tiers, in terms of performance and CSR monitoring and There may be insufficient supply chain transparency to enable the buyer to ‘drill down’ to lower levels — and it may not be able to rely on the supply chain management and quality or CSR assurance of the lead provider.
  • Supplier switching or opportunistic buying. There may be a range of reasons for changing or switching suppliers, but doing so causes upheaval and cost (identified as switching costs) —especially where strong relationships have been established, and relationship-specific plans had investments made. Risks include: the new supplier failing to performance process or systems in compatibility (e.g. if relationship-specific integration was made with the old supplier); cultural or inter-personal incompatibility (where patterns of understanding and behavior developed in the old relationship); loss of knowledge (where collaborative processes with the old supplier were undocumented); learning curve and teething problems of the new supplier; exposure to new or unfamiliar supply risks; exposure of intellectual property and confidential data (without trust yet having been built up); and problems of adversarial handover from the old supplier to the new (accessing designs, documents, assets, work in progress and so on).
  1. Outsourcing and Offshoring Risk

Outsourcing may be defined as the process whereby an organization delegates major non-core activities or functions, under contract, to specialist external service providers, potentially on a long-term relationship. Lisa Ellram & Arnold Maltzl Outsourcing Supply Management) define it as: ‘the transfer of responsibility to a third party of activities which used to be performed internally. Organizations now routinely contract with specialist external suppliers to provide services such as cleaning, catering; security, facilities management, IT management, recruitment and training, accounting, transport and distribution and procurement.

Risks of outsourcing

Broadly speaking, some of the potential upside and downside risks of strategic outsourcing can be summarized as follows: Table below

Upside and downside risks of outsourcing

Supports organizational rationalism and downsizing: reduction in the costs of staffing, space and facilities. Potentially higher cost of service (including contractor profit margin), contracting and management: need to

compare    with    costs    of in-house


provision and consider potential loss of cost control
Allow focused investment of managerial, staff and other resources on the organizational core activities and competencies (those which are distinctive, value adding and hard to imitate and thus give competitive advantage. Difficult of ensuring service quality and consistency and corporate social responsibility (environmental and employment practices): difficulties and costs of monitoring especially overseas.
Accesses and leverages and specialist expertise, technology and resources of contractors adding more value than the organization could achieve itself for

non- core activities.

Potential loss of in-house expertise of knowledge, contracts or technologies in the service area, which may be required in future (e.g. if the service is

in-house again).

Access to economy of scale and smoothing of demand fluctuations since contractors may serve many


Potential loss of control over key areas of performance and risk (e.g. to reputation if service or ethical issues

arise) over dependence on suppliers

Adds competitive performance incentives, where internal service providers may be complacent Added distance from the customer or end user, by having an intermediary service provider: may weaken external or internal customer communication and relationships and weaken market


Leverage collaborative relationships and can support synergies from collaboration or partnership. Risk of lock in to an incompatible or underperforming           relationships, cultural or ethical incompatibility; relationship management difficulties ; contractor     inflexibility   conflict  or

interest complacency or loss of client

Cost of certainty (negotiated contract price) for activities where demand and costs are uncertain or fluctuating

shared financial risks

Risk of loss of control over confidential data and intellectual property
Ethical and employer relations issues

of transfer or cessation of activities

Potential risks, costs and difficulties

of   in   sourcing   if   the   outsource arrangement fails

Source: CIPS (2012)

Outsource failure risk

Numerous surveys, together with anecdotal evidence, suggest that outsourcing projects often fail to deliver the expected benefits.

Some of the possible reasons for outsourcing agreements include:

  • The organization fails to distinguish correctly between core and non-core activities.
  • The organization fails to identify and select a suitable supplier, leading to poor performance of the outsourced activity, or in the worst cases to supplier failure.
  • The organization has unrealistic expectations of the outsource provider, owing to exaggerated promises or claims in negotiation, or underestimation of the risks of costs (and potential for cost escalation).
  • The outsourcing contract contains inadequate or inappropriate terms and conditions.
  • The contract does not contain well defined key performance indicators or service levels, which means that it is difficult to establish where things are going wrong.
  • The organization lacks management skills to control supplier performance and relationships.
  • The organization gradually surrenders control of performance to the contractor, which is then able opportunistically to take advantage of the organization’s dependency.

Managing outsourcing risks

Effective contract negotiation and management is an essential part of ensuring outsourcing success. Measurement against key performance indicators, regular meetings and defined contacts are vital. From the risk perspective, outsource deals require careful and ongoing monitoring with concerns logged in the risk register.

Key elements in, a risk mitigation strategy for outsourcing.

  1. The need for the outsource decision to be based on clear objectives and measurable benefits, with a rigorous cost-benefit analysis
  2. The need for rigorous supplier selection, given the long-term partnership nature of the outsource relationship to which the organization will be `locked in’. In such circumstances, selection should not only involve cost comparisons but considerations such as quality, reliability, willingness to collaborate and ethics and corporate social responsibility (since the performance of the contractor reflects on the reputation of the outsourcing organization).
  3. Rigorous supplier contracting, so that risks, costs and liabilities are equitably and clearly allocated, an expected service levels clearly defined
  4. Clear and agreed, service levels, standards and key performance indicators, with appropriate incentive and penalties to motivate compliance and conformance
  5. Consistent and rigorous monitoring of service delivery and quality, against service level agreements and key performance indicator
  6. Ongoing contract and supplier management, to ensure contract compliance, the development of the relationship (with the aim of continuous collaborative cost and performance improvement), and the constructive handling of disputes. This is essential if the organization is not to gradually surrender control of performance (and therefore reputation) to the contractor.
  7. Contract review, deriving lessons from the performance of the contract, in order to evaluate whether the contract should be renewed, amended (to incorporate improvements) or terminated in favour of another supplier (or bringing the service provision back in-house).



Offshoring’ refers to the relocation of business processes to a lower cost location, usually overseas. This practice is in essence a form of outsourcing, but the overseas element gives rise to additional risk management considerations.

  1. Protection of patents, designs and copyright, in countries where intellectual property law is weak
  2. Additional transport and logistics risk from long, potentially complex supply chains to domestic markets
  3. Risks arising from political instability, corruption and other risks in particular markets
  4. Operational risks arising from difficulties in monitoring and controlling quality, ethical and sustainability standards of the outsource provider, owing to distance
  5. Operational, reputational and compliance risks arising from cultural, legal and linguistic differences (e.g. lower quality or health and safety standards)

From the buyer’s point of view, there may be particular concerns that the quality of the service provided may decline. Many large companies have met with hostility from customers who have received poor customer service and technical support from overseas centres. Often the complaints have focused on an inadequate level of skill in spoken English, together with the resentment that some people feel at the, general principle of ‘exporting jobs overseas’.

A further reputational risk of offshoring is that workers in less developed countries may be subject to exploitation. Some critics even go so far as to say that the very reason why companies are adopting this approach is so that they can avoid the higher standards of employment and health and safety protection that prevail in the West.

Offshoring may be argued to increase the overall level of risk in the supply chain, since it is more difficult for a buyer to exercise control over a service provider who is geographically distant (e.g. in terms of quality, environmental and ethical monitoring). Recent reputational problems have been faced by Apple, for example, owing to the exposure of poor employment conditions at several of the companies in China to which assembly of its products has been outsourced, allegedly resulting in the suicide of several workers.

  1. Technology and Information Risk

Technology and information risk arise from theft of hardware, and software, cyber-attack, failure or hardware or software, and theft or corruption of information. IT risks include hardware and software failure, human error, spam, viruses and malicious attacks, as well as natural disasters such as fires, cyclones or floods. You can manage IT risks by completing a business risk assessment. Having a business continuity plan can help your business recover from an IT incident. For further reading read supply chain management information systems course book.

Information Risk

As information and knowledge become increasingly systemized and transparent, so they become more vulnerable’ A number of risks may arise from knowledge and information systems, including the gathering of information in supplier databases; the sharing of intellectual property and confidential data with suppliers in the course of collaboration; and the management of relationships via a corporate extranet.

Here information-related risks which might arise for a business, particularly in supply chain management:

  • Risks to the organization’s intellectual capital from unauthorized access to intellectual property
  • (e.g. patents, designs or prototypes) and sensitive commercial data (e.g. on competitive plans or risk assessments) — perhaps as a result of industrial espionage, hacking, phishing or data theft
  • Risks to the organization’s intellectual capital and commercial advantage from misuse of data by: parties ‘with whom it was shared (e.g. a supplier’s breach of confidentiality, or the sharing of data with competitors) — and corresponding risks of liability if the buying organization breaches the confidentiality, or misuses the intellectual property of a supplier
  • Risks to the integrity and security of data, through a range of factors including software corruption; computer viruses; input or transcription errors; and deliberate fraud — exacerbated by poor house-keeping and internal
  • Systems failure, and associated data loss (hence the need for all data to be ‘backed up’ to external hard-drives or servers, and the rise in the use of ‘cloud’ computing using external servers)
  • Compliance risk in regard to law and contractual provisions on issues such as data protection (secure storage’ and relevant use of personal data by corporations), intellectual property (protecting the rights of owners of designs, patents and copyrights) and confidentiality (preventing the unauthorized disclosure of commercially or personally sensitive data)
  • Risks to the integrity and value of data through lack of effective change control protocols (resulting in multiple conflicting versions)
  • Risks and inefficiencies in the design and implementation of management information systems, extranets, contract databases and other relevant systems: e.g. inefficient storage and retrieval protocols; lack of integration and compatibility with supplier systems; teething problems; and systems breakdown
  • Turnover of key personnel and loss of their intellectual property (where relevant) and/or knowledge of the organization’s procurement needs, contract histories and supplier relationships
  • Loss of organizational knowledge, information and capabilities through the outsourcing of functions to external supplier.

A range of risk mitigation measures may therefore be put in place in the following areas.

  • Risk identification and assessment at the system design stage (including stakeholder involvement in system design and implementation)
  • System testing and change-over arrangements for new systems (e.g. parallel running or phased implementation) .         .         ,
  • Preventive maintenance, repair, updating and replacement of hardware, software and peripherals (along with other plant and equipment)
  • Ensuring that all buyer-side and supplier-side information systems are subject to robust access controls (e.g. passwords, user IDs and firewalls) —   and   that   ‘human   mediated’   information   exchanges,   such   as negotiations, are subject to appropriate confidentiality guarantees /.
  • Rules and protocols for the effective and secure use of information system! (e.g. the use of firewalls and anti-virus software, and the training of staff in correct systems use and security awareness)
  • Protocols for the backing-up of stored data, to prevent loss due to systems failure or data corruption (e.g. use of ‘cloud’ computing, regular back-ups to external servers or hard drives and so on)
  • Systems maintenance, contingency planning and back-up systems, to minimize loss in the event of systems breakdown, hardware theft or power failure. There should also be business continuity and disaster recovery plans in place for catastrophic failure
  • Database management, ensuring that useful information and knowledge is captured and maintained, and obsolete information is deleted or archived
  • Protocols and controls over contract changes, variations, versions and updating (with authorized individuals having controlled rights to make amendments and administer versions)
  • Internal controls, checks and balances to prevent misuse of data or funds, and fraud.: examples include authorizations and sign-offs; reconciliation of contracts, delivery notes and invoices; and separation of duties (e.g. the same person does not authorize ordering and payment)
  • Intellectual property protection, through the use of registered design rights, patents and copyrights; and appropriate contractual clauses to control access to intellectual property (e.g. via exclusive or non-exclusive licenses) and to protection ownership rights (e.g. who will own IP generated in the course of the contract?)
  • Confidentiality of commercially sensitive data exchanged in the course of the contract (e.g. using confidentiality and non-disclosure clauses in contracts, training staff in confidentiality, and publishing and enforcing ethical codes)
  • Training staff in the requirements of relevant legislation (including intellectual property law, data protection and freedom of information).
  • Documentation of best practice, supplier relationship histories, learning from contracts and other value-adding knowledge and information — to support organizational learning and prevent loss of data through personnel departure or outsourcing.

Information Assurance

Information assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. It is related to the field of ‘information security’ (a branch of computer science aimed at the protection of information systems and their contents, mainly by applying security controls and defenses against malicious attacks). However, information assurance embraces a wider range of issues, including:

  • Corporate governance: regulatory standards compliance, internal controls and auditing in regard to data protection, IT systems and fraud prevention
  • Contingency, business continuity arid disaster recovery planning in relation to key systems risks (data loss, security breaches, systems breakdown)
  • Strategic development and management of IT systems to fulfill the current and future needs of the organization (and supply chain), while minimizing risk, through areas such as systems integration, compatibility, flexibility and

Issues that an organization might need to address through its contractual arrangements in order to manage supply chain risk when dealing with the new supplier

Examples of points arising in relation to contractual arrangements are;

  • applicable law,
  • specifications for the supply of ‘developing technology’,
  • explicit and implied terms,
  • conditions and contingencies should be considered,
  • remedies (including under breach) including;
  • financial compensation or liquidated damages,
  • Price – fixed or varied with contract,
  • liability position of strict and vicarious liability pertaining to the act of the company and employees and potential impacts’ relevance of ‘incoterms’
  • IPR protection, insurance cover required to cover any compensation that may become due in indemnities or legal claims arbitration clauses,

contractual performance definitions including testing, inspection and acceptance clauses and the passing of the tit

According to NIGP -the Institute of Public Procurement, the following are the common operational risks in procurement and supply chain;

  1. Professional: risks associated with the practice of procurement (e.g. failure to develop and implement robust procurement processes).
  2. Financial: risks associated with a failure to secure a most economically advantageous outcome to an acquisition (e.g. the failure to apply lifetime costing techniques in a tender evaluation or the failure to apply appropriate financial appraisal techniques prior to contract award leading to supplier failure).
  3. Legal: risks related to possible breach of legislation (e.g. failing to advertise a contract under required directives; failure to include specific contract terms leading to contract failure).
  4. Physical: risks related to fire, security, accident prevention, and health and safety (e.g. failing to procure properly labelled cleaning materials).
  5. Contractual: risks associated with the failure of contractors to deliver services or products to the agreed cost and specification (e.g. delivery by contractors of substandard or out of date food products; failure to meet specified outcomes).
  6. Technological: risks relating to a reliance on operational equipment (e.g. exclusive reliance on an e-Procurement system to deliver critical supply acquisition).
  7. Environmental: risks relating to pollution, noise or the energy efficiency of on-going operations (e.g. reliance on unsustainable sources of commodities).

iii. Project Risk

Project risks are factors that could cause the project to fail. Project risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Risk management focuses on identifying and assessing the risks to the project and managing those risks to minimize the impact on the project. The most common project risks are:

  1. Cost risk, typically escalation of project costs due to poor cost estimating accuracy and scope
  2. Schedule risk, the risk that activities will take longer than expected. Slippages in schedule typically increase costs and, also, delay the receipt of project benefits, with a possible loss of competitive advantage
  3. Performance risk, the risk that the project will fail to produce results consistent with project specifications. There are many other types of risks of concern to projects. These risks can result in cost, schedule, or performance problems and create other types of adverse consequences for the organization. For example:
  • Governance risk relates to board and management performance with regard to ethics, community stewardship, and company reputation.
  • Strategic risks result from errors in strategy, such as choosing a technology that can’t be made to work.
  • Operational risk includes risks from poor implementation and process problems such as procurement, production, and distribution.
  • Market risks include competition, foreign exchange, commodity markets, and interest rate risk, as well as liquidity and credit risks.
  • Legal risks arise from legal and regulatory obligations, including contract risks and litigation brought against the organisations.
  • Risks associated with external hazards, including storms, floods, and earthquakes; vandalism, sabotage, and terrorism; labor strikes; and civil unrest.

Managing Projects Risks

The following are features of effective project management that an organization would take into account in order to ensure that the overall project is successful and that the risks are mitigated as described by Slack et al. 2016.

  1. Clearly defined goals- which can include the overall philosophy or mission of the project and the commitment to those goals from the project team members.
  2. A competent project manager –a project leader who has the necessary blend of interpersonal, technical and administrative skills.
  3. The support of top management-commitment that must be communicated to the project For cross company projects, there may be nominated senior owners from each organization involved in the project and its delivery.
  4. Competent project team members –the selection and training of project teams who have the right blend of skills to successfully complete project.
  5. Sufficient resource allocation-in the form of finance, personnel, logistics etc. which are available when required.
  6. Good communication channels-between those involved on objectives, status, changes, organizational conditions and client’s needs-with timely decision making supported by clear short lines of reporting.
  7. Control mechanisms –put in place to monitor actual events to recognize deviations from plan.
  8. Feedback capabilities- all parties concerned are able to review the project status and make suggestions and corrections
  9. Troubleshooting mechanisms- a system or set of procedure which can tackle problems as they arise, trace back their root cause and resolve them. This enables the active management of risks and issues.

Role of Project Planning in Managing Supply Chain Risks

  • Identifying the deliverables likely duration and cost. This will help inform and support decisions on whether the project will be feasible and worthwhile in cost / benefit and return on investment (effectively – the decision around avoid or accept risk)
  • Determining the resources required at each stage of the project
  • Examination and scrutiny of cost quoted, challenging actual business need over
  • Identifying tasks to be undertaken and their sequencing and timing
  • Control processes such as setting phases and milestones
  • Provides for reviews and establishing targets, budgets, quality, outputs, timescales etc.
  • Helps provide tools and outputs – project plans, charts risk registers etc.
  • Helps give    structure    for    communicating   and    engaging   with stakeholders and supports efficient project management

Leave a Reply

Your email address will not be published. Required fields are marked *