According to Warren Buffet: “Risk comes from not knowing what you are doing”.
A good example of knowing what they are doing comes from the Insurance industry. They measure and track all kinds of risks they may have before defining a premium for an insurance policy.
We have good references from American National Standard for Security (ASIS SPC.1 2009) in how a company may be prepared for organization resilience for security, preparedness, and continuity management. This helps companies to define the overall framework for ERM – Enterprise Risk Management.
Just as a reference, several consultant companies have reported the same issue regarding risk management in purchasing:
Purchasing as part of any enterprise should define their framework, as part of ERM, in terms of types of risk they face, risk appetite (risk level), tools to measure the risk and calculate the impact in the company and governance to make sure the processes are followed, the risks are tracked and mitigation plans are in place and implemented.
We can list at least four risk types: Supplier Risk, Product / Service Risk, Business Risk, Commodity Risk, and in each one you will have different risk drivers.
Supplier Risk related to financial stress, geographic location, code of conduct, border crossing, trade compliance, product stewardship, quality and delivery.
Product Risk related to supply / demand, number of qualified suppliers, specification, volume under contract, technical options, lead time and supplier back integration.
Business Risk related to number of approved suppliers (sole sourced), number of plants and their location, and impact on revenue in case of disruption.
Commodity Risk related to supply / demand balance, suppliers, market forces, cost drivers, resource planning and sourcing strategy.
The key question from Warren Buffet: Do you know what are you doing?
The key question for purchasing professionals: Do you measure and track your risks?