The recent shortage of raw materials and essential components highlighted how important it is for companies to mitigate their supplier risks.
It means identifying and preventing the risks inherent to your relationships with providers so they don’t degrade, which could heavily impact your company’s operations and, ultimately, survival.
Discover what exactly is supplier risk management. What are the different categories of supplier risks? What best practices to adopt to prevent them?
At Trustpair, we handle supplier risk management by preventing vendor fraud! We help international companies mitigate the inherent risks of dealing with their various suppliers across the world. Our B2B solution automatically executes supplier account validation to eradicated the risk of payment fraud. Ask for a demo right away.
What is supplier risk management?
Risk management process and definition.
Risk management is a process by which a company attempts to control the risks surrounding its activities. The risk-manager carries out a risk management strategy of:
- Risk identification,
- Risk analysis,
- And risk responses to risk factors.
This creates a risk profile of your vendors. The purpose of risk-management is then to prepare for all-risk, so the company continues to thrive no matter what happens.
An effective supplier risk management strategy also prioritizes those risks, attaching metrics to quantify them, and addressing high-risks first.
Risk-reduction as well as spotting any vulnerability contribute to building resilience in your organization, and ensure you keep on meeting your business objectives.
Supplier risk control.
Risk mitigation (another name for it) needs to encompass supplier risk too, as they are an integral part of a business. Working with vendors is essential, but many risks come attached to it.
Every company needs to be aware of them and proactively prepare contingency plans. If anything were to go wrong, you’d therefore be prepared. Preventative, ad-hoc measures are what could make a difference between resilience and bankruptcy.
The worst that can happen with mis-managing risks is your business activity coming to a temporary or permanent stop due to a procurement problem with your providers. These problems need mitigation. They usually fall in one of two categories:
- Internal: your provider willingly decides to take an action that negatively impacts your relationship, like an abuse of dominant position, a breach in their CSR policy or a delivery delay.
- External: conditions that are outside of your provider’s control impact their activity, and therefore yours. The COVID-19 period is a prime example of that.
Supplier risks have indeed gained in significance since covid-19. Productions that were stopped started to resume their business activities after a period of calm, which led in certain industries to a higher demand than offer.
Supply-chain difficulties can happen, which in turn negatively impacts more organizations.
Poor supplier risk management has a negative impact on the company’s production line and overall growth. That’s why it’s so important to identify the different types of supplier risks within your company. Doing so means you can be mitigating them properly.
What are the different categories of supplier risks?
There are several types of supplier risks, such as:
- Economic risks: delivery delays, lack of inventory, etc.
- Legal risks: CSR policies, duty of care, GDPR if dealing with UE customers, Sarbanes Oxley compliance, etc.
- Business risks: reputational risks, communication with the correct correspondent, etc.
- Financial risks: wrong order, transfer on a wrong bank account or with a wrong amount, payment delays or financial losses from fraud.
- Cybersecurity risks: everything that has to do with IT risk management like security breaches, fraud attempts with phishing, or identity theft.
With most communications and financial activities happening online nowadays, the latter two deserve more attention.
What are the financial risks when dealing with suppliers?
The financial risks listed above are a good example of disorganized processes that can lead to mistakes and open doorways to fraudsters.
For instance, scammers will make the most of the existing confusion to impersonate a supplier – which is commonly referred to as vendor fraud. Your company, therefore, needs to have a proactive risk management strategy to avoid any supply chain risks.
Scammers can carry our vendor fraud in two different ways:
- By impersonating a bogus supplier, sending a legitimate-looking invoice in order to be paid for goods or services that were never rendered.
- By impersonating a real supplier, and hacking into their system to change the information on the real invoices sent. They could also be sending an email from their address (or a spoofed one) informing you of new payment information. Your company thinks it’s paying your supplier, when in reality it’s transferring funds to scammers.
Both happen quite regularly, but the latter is more common than you’d think. According to our recent study about payment fraud in the US, changes in suppliers credential is the number one way frauds are perpetrated. Learn more by downloading our free report.
A focus on Cybersecurity risks when dealing with suppliers
Those cybersecurity risks have increased exponentially with covid-19. The hastened move from going to the office to working from home led to a sped-up digitization of companies, which irremediably created both human and technological errors.
The move to cloud-based computing, while convenient, has also increased your risk exposure.
In this context, customer-supplier relationships have become an easy target for fraudsters. When business is done 100% online, it’s easier to impersonate a vendor, or even send fake invoices for goods and services that were never purchased (let alone provided).
In order to protect your company from those risks (like vendor fraud, but also ransomware, phishing, etc.) it is essential to adopt a few best practices for your IT governance.
Best Practices for Supplier Risk Management
In order to efficiently mitigate your third-party risks, you need a carefully crafted risk management plan.
This plan needs to highlight your supplier risks, but also cover any hazard that could come up from your third-party relationships. A data-driven risk assessment will prove most efficient to protect you from any vulnerabilities.
Identifying potential breaches and frictions, a key focus of supplier risk management
Any customer-vendor relationship comes with its own set of risks. They depend on the nature of the business conducted, but also on the technology used, the business processes, the communication tools… Which is why it’s important to carry out a thorough due diligence process when you source your suppliers.
Some other elements frequently come back when it comes to the risk inherent to the company-supplier relationship, like:
- Mismatched goals
- An unbalanced relationship (for instance abuse of dominant position)
- A unique supplier
- Vague contract terms
The above may pose threats to your relationship and ultimately your business’ continuity. A careful risk-assessment therefore needs to be carried out during vendor onboarding.
Mapping out your supplier risks
Once your company identifies those factors, you can establish an accurate map of your supplier risks.
The goal of this map is to identify the various categories of risks that weigh on the process of purchasing from your various providers, such as:
- Financial risks: when a supplier isn’t producing at full capacity, or at all. That will impact your own ability to produce, therefore putting you at risk of not being able to deliver to your clients, and lessen your revenue.
- Industrial risks: when there are delays in production or delivery, or if you’re dealing with hazardous substances for example (or any other market risk).
- Operational risks: when there are risks involving piloting the overall strategy, asset management, or internal process of the company for instance. These have to do with the actual production and/or project management process.
- Legal risks: fraud attempts, non-compliance to regulatory requirements.
- Social risks: CSR policy breach impacting you (eg: finding out they employ children)
- Politico-economical risks: market risk and price fluctuation, change in domestic and international policies, natural disasters (like an earthquake) or environmental events, etc.
- Cybersecurity risks: phishing, malware, ransomware, identity theft and other fraud attempts through remote communications.
This map must be established for each of your suppliers. You could also set up for each a few key risk indicators for your Chief Risk Officer (or anyone involved with internal control) to monitor on a dashboard.
Respecting the KYS and KYS process.
The KYS and KYC processes are used by a company to verify the identity of its third parties:
- Suppliers (KYS = Know Your Supplier)
- Consumers (KYC = Know Your Customer)
These due-diligence processes are important in order to prevent money laundering and terrorism funding.
The KYC process as we know it was actually implemented through the Patriot Act passed by Congress in 2001.
It became mandatory for all financial institutions in 2002, and all associated processes have had to conform to the Customer Identification Program (CIP) ever since.
In 2016, following a push from FinCEN, banks started collecting the name, social security number, address, and date of birth of clients owning more than 25% of an equity interest in any legal entity.
There are multiple legal obligations to follow, depending on where you’re established and who you do business with.
Compliance with these regulations is a must, but it’s necessary to think further and establish an internal code of conduct as well as an accurate map of your risks (following the previous risk framework).
You also need to set up:
- Internal alert measures when violations or breaches are detected;
- A plan for monitoring said risks;
- Contingency plans for every eventuality;
- A training strategy for your employees to keep evaluating the risks in your third parties.
Following the payment terms
Outside of government organizations, there isn’t any federal law stating payment terms in the US. Each state, industry, or even business has its own practices.
It’s generally accepted that orders are to be paid 30 days after the invoice is sent (Net30), but it’s a business standard rather than a legal obligation.
In fact, a survey from 2017 by Atradius Solution found that the average payment terms for American businesses was 27 days from the issuance of the invoice. With the move towards online invoicing, this delay is expected to be shortened (more recent research from Xero suggests 2 weeks).
It’s up to each organization to set up its own payment processes and payment terms. It makes for good business practices, as well as establishes clear rules to be followed internally.
Each company (or even department) should have a standard management process for bank transfers to third parties. This lessens the risk of fraud – for instance, the risk of CEO fraud, where a scammer impersonates the CEO asking for an “urgent” payment to a provider, which turns out to be a fake account.
At Trustpair, we strongly recommend you abide by the “4 eyes principles” in order to catch any oversight. That means having at least two people involved in your payment campaigns to make sure there are no mistakes or frauds carried out.
Adopting tech solutions to optimize your supplier risk management strategy
To finish, and because of their importance, cybersecurity and fraud risks must be tackled specifically. As well as training your employees to follow best practices, it’s important for your company to consider using an anti-fraud solution like Trustpair.
Our SaaS software checks in real-time the data of your third parties to ensure it’s correct. Our solution is connected to financial data sources across the world and automatically and systematically checks every addition or modification of financial information in your vendor master file (ie the totality of your third party relationships).
The company identity/bank identity pair is verified, which means your company is protected from fraud attempts, but also from payment delays or errors. Trustpair allows you to fight cybersecurity risks, which are prominent in supplier risk-management, and to secure your procure-to-pay processes.
- Left unmanaged, supplier risks can lead to your business activity coming to a temporary or permanent stop due to a problem with your providers.
- Your supplier relationship can suffer from internal or external factors. There are different categories of risks like financial, legal, job-related, or cybersecurity.
- In order to safeguard your company, you need to set up a risk-management strategy (that includes monitoring and contingency action plans) to handle your third party risks.
- One of the best risk management software you can decide to implement to prevent the risk of financial fraud is Trustpair.