A Short Guide to

Procurement Risk
Richard Russill
http://www.gowerpublishing.com/isbn/9780566092183
3
Procurement
and Risk The
Big Picture
1
PROCUREMENTS PLACE IN THE BUSINESS
AND THE NEED TO GET IT RIGHT
Every business enterprise uses suppliers in one form or
another. It is inherent in the business model. One enlightened
CEO described her companys business in this way: we buy,
we transform and we sell. She added: and we need to be
equally good at all of that if our business is to be as successful
as possible. In other cases it might be more accurate to say
this is what we do and what we sell to our customers, and
we use external sources (of whatever) to make it possible to
do that. In the public sector, the equation could be expressed
as we buy, we add value and we deliver. The point is that no
company or public sector organisation is an island. Resources
are needed at one end of the business just as customers are
required at the other.
Traditional procurement is no stranger to risk management,
witness any good companys approach to contract terms and
conditions and supply planning. But things move on. Public
A SHORT GUIDE TO PROCUREMENT RISK 1
4
and private sector organisations have outsourced activities
previously conducted in-house; what were domestic supply
chains now span the globe in search of low cost sources; and
communications technologies have dramatically increased
the possibility and appetite for rapid, constant change
whilst also rendering a companys activities more transparent
and open to public scrutiny.
Despite this, most companies are so focused on managing the
people and assets employed in the business and on satisfying
their customers that they fail realise what is going on behind
them in their supply markets. And it is not all good news:
Vulnerabilities in physical supply chains are poorly
understood and managed. This has been identifed as one
of four emerging risk issues likely to impact in the years to
come.
1
The recent capture by Somali pirates of a cargo ship
serves as a stark lesson that this is no theoretical forecast
and that the unimaginable does happen. Increasing
supplier bankruptcies coming in the train of the economic
crisis only add to supply chain woes.
High growth in the Chinese economy in 200708 drove
huge price increases in commodity raw materials along
with additional concerns about shortages of supplies for
Western economies. Freak weather conditions in Brazil
and India caused wholesale prices of sugar to hit a near
28-year high, up 80 per cent in 2009 alone. An expected
knock-on effect will be a global shortage of sweeteners as
big importers of sugar switch into them as a substitute.
1 World Economic Forum Report, January 2008, Global risks 2008.

PROCUREMENT AND RISK THE BIG PICTURE

5
1
Although its supplier had breached a contract, a customer
company had to accept a court ruling in favour of the
supplier because the buyer had not exercised the contracts
termination clause in a timely manner.
2
The value of procurement fraud in the UK increased by
347 per cent during 2008.
3
And truth continues to be stranger than fction. Workers
at a recently bankrupted French company supplying the
car industry threatened to blow it up if their redundancy
compensation claims were not satisfed. The gas bottles
are in the factory. Everything is ready to blow it up, said a
union representative.
4
Another company knew exactly what it was doing in its supply
market but was caught for manipulating supplier behaviour.
5

The computer chip manufacturer was found guilty of engaging
in illegal practices, one being to make payments to suppliers to
halt or delay the launch of products containing competitors
components.
The view that supply chain vulnerability is an ongoing
concern is confrmed by the fact that Aons 2009 Global Risk
Management Survey
6
includes supply chain failure in its Top
Ten most pressing risks around the world. Interestingly at
least half of the risks in the Top Ten can be directly related to
procurement activity, and hence would fall within the remit of
2 Supply Management, 30 April 2009, Use it or lose it.
3 Supply Management, 11 June 2009, The pressure is on.
4 The Daily Telegraph, 14 July 2009. (The claim was settled without the
need for detonation!).
5 Supply Management, 28 May 2009.
6 insight.aon.com The Defnitive Report on Risk, 2009.

A SHORT GUIDE TO PROCUREMENT RISK 1

6
Procurement Risk Management (PRM).
7
One consequence of
this is that procurement risk has emerged as a comprehensive
topic in its own right rather than being a facet of specifc but
fragmented procurement tasks. The beneft of this promotion
up managements agenda is the requirement for more clarity
about what is procurement risk and greater awareness that
risks can lurk in areas where traditionally they have not been
sought.
However, a comprehensive commercially aware approach to
procurement is not the norm. In its absence, organisations
experience one or more of the harming events listed in Box 1
and will under-perform, maybe not survive, as a consequence.
The impact of supply chain disruption on business performance
has seldom been better described than in Hendricks and
Singhals comprehensive, and sobering, study of its effect on
long-term shareholder value. To quote from their concluding
summary:
8
The evidence presented in this report makes a compelling
case that ignoring the risk of supply chain disruptions
can have serious negative economic consequences.
Based on a sample of more than 800 supply chain
disruption announcements, the evidence indicates that
frms that suffer supply chain disruptions experience
33 to 40 per cent lower stock returns relative to their
benchmarks, 13.5 per cent increase in share price
volatility, 107 per cent drop in operating income, 7
per cent lower sales growth, and 11 per cent increase
in costs. By any yardstick these are very signifcant
7 In addition to supply chain failure the risks are: business interruption;
commodity price risk; damage to reputation, and cash fow/liquidity risk.
8 Hendricks, K. and Singhal, V. 2005. The Effect of Supply Chain
Disruptions on Long-term Shareholder Value.
PROCUREMENT AND RISK THE BIG PICTURE
7
1
BOX 1
WHAT ARE THE RISKS OF NO
PROCUREMENT RISK MANAGEMENT?
Proft, budgets, and cash fow are all hurt:
substantial reductions in shareholder value occur
need to maintain a far higher than necessary level of risk
capital
Customers kept waiting or turned down.
Helplessness in dealing with supplier price increases.
Output prices forced up with loss of competitiveness.
Poor supplier performance or, worse, allocation or loss of supply.
Fragmentation and loss of procurement negotiating leverage.
Legally unsound contracts heavily biased in suppliers favour.
Unproductive use of human resources.
Insuffcient 'internal challenge of specifcations and decision-
making.
Decision-makers prey to the tactics of salespeople.
Political embarrassment or damage to company image and
reputation.

economic losses. More importantly, frms do not quickly

recover from these losses. The evidence indicates that
frms continue to operate for at least two years at a
lower performance level after experiencing disruptions.
Given the signifcant economic losses, frms cannot
afford such disruptions even if they occur infrequently.
A SHORT GUIDE TO PROCUREMENT RISK 1
8
The ultimate goal of risk management is to protect and
enhance what the enterprise is primarily there to do. In the
private sector the aim is proftable survival. The public sector
equivalent is to deliver maximum service and organisational
effectiveness within the constraints of the resources provided
to do it. This includes money. But is the risk-catching net
being cast wide enough? Focusing on risks external to the
company tells only half the story. What is less well known is
that risk exposures also exist inside the company and can be
just as damaging.
Whilst excellent articles are written about PRM, the balance
of content trends in the direction of risk evaluation and
mitigation rather than something which is arguably even
more important, namely identifying risks at the outset. As one
Chief Procurement Offcer (CPO) observed: we are good at
Vulnerable to internal and external fraud.
Exploited and manipulated by monopolies, cartels and hostile
contractors.
Supplier innovations passed to competitors.
Beaten to the market by competitors with new products or services.
Too quick or too late to market with own new offerings.
Damage to brand and company reputation by unethical
behaviour or incompetence.
Organisation is penalised for non-compliance with regulatory
requirements.
Organisations activities become subject of public scrutiny and
investigation.

PROCUREMENT AND RISK THE BIG PICTURE

9
1
reacting to issues when they arise but not good at populating
our risk register in the frst place.
PLAYING WITH FIRE: THE ELEMENTS OF PROCUREMENT RISK
MANAGEMENT
Procurement Risk exists for an organisation when supply
market behaviour, and the organisations dealings with
suppliers, create outcomes which harm company reputation,
capability, operational integrity and fnancial viability.
The key word in this defnition is harm. This requires
judgement, criteria, and maybe calculation, to decide if an
event is potentially harmless or harmful. It is also necessary
to distinguish between what is at risk (that is, exposed) and
the possible event that does the damage. For example, the
companys ability to meet delivery commitments is exposed
to the possibility of supply disruption or if a key supplier
becomes bankrupt. Recessions mean that suppliers shut down
production capacity to save overhead costs, which eventually
lead to shortages when the upturn comes. Suppliers use price
increases to ration supplies. Thus, fnancial performance and
the ability to meet budgets is now exposed to the signifcant
price increases that suppliers can impose when it is a sellers
market.
In examining what was at risk, one public sector organisation
addressed the question in what way could our work or existence
be harmed if untamed risks escaped to do us damage? Four
main exposures were identifed:
reputation;
operational continuity;
1.
2.
A SHORT GUIDE TO PROCUREMENT RISK 1
10
fnancial viability;
being a target for litigation.
The need to be clear about what is exposed arises because,
without it, it is diffcult to work out what it is worth to
reduce or prevent a risk from occurring. For example, the
cost of a lost day of production is easily calculated. A possible
disruptive event might be a strike at the haulage company
that has the job of delivering production raw materials. The
strike could feasibly last for fve days. The contingency plan
may be to hold a fve-day stock of materials as insurance
against the possibility of the strike. The cost of this plan can
be compared with the cost of fve days of lost production. If
the contingency plan costs less than the impact of the strike
then it makes sense to action the plan. An apparently cheaper
option would be to hold the supplier responsible for the costs
of non-delivery and seek to recover these afterwards. But this
is reactive, will involve a lot of work to get the money back,
and still leave a dissatisfed ultimate customer whose order
has not been fulflled. These indirect costs must be added into
the total evaluation.
Another reason for taking pains to defne exposures is that
it helps to identify potential disruptive events. The usual
approach is to say here is a supply chain what could go
wrong with it, and what would be the cost of the harm done?
This convergent approach will identify possible events, but
not as many as will be revealed by divergent thinking. The
latter starts with an exposure e.g. reputation and then
imagines all the supply-related things that could happen to
tarnish it. Our reputation is exposed to the actions of others
how many things can we think of that will damage our
reputation if they happen?
3.
4.
PROCUREMENT AND RISK THE BIG PICTURE
11
1
The combination of an exposure and an event is an impact.
If disruptive events happen and the company is exposed as
previously mentioned, then the impacts are:
tarnished reputation;
interrupted day-to-day operations;
spiralling costs;
being sued.
Events actually have to happen to be harmful. But how likely
are they to occur? Sophisticated mathematics can be used to
estimate probability, but for most purposes high, medium
or low will often suffce, although the case for slightly more
precision is made in Chapter 7. These terms can be quantifed
as follows:
high means event will occur in most circumstances and
one event can be expected each year.
medium means will probably occur at least once every fve
years.
low means not expected to occur in normal circumstances
and less than once in every fve years.
Finally, what can be done to mitigate an undesirable impact
caused by a high- or medium- probability event occurring?
A mitigating action will reduce, eliminate, or compensate
for the harm done and, in general, will involve either direct
or indemnity actions. Direct action will reduce or eliminate

A SHORT GUIDE TO PROCUREMENT RISK 1

12
the at risk situation (e.g. by laying down some contingency
stockholding), whereas indemnity actions are designed to let
harm happen but to provide compensation in the event (e.g.
taking out insurance to cover business continuity).
The different elements of being At Risk can be connected as
follows:
Being At Risk = Impact Probability No Mitigation
where Impact = Exposure Event
Just as fre is extinguished when either fuel, or oxygen, or
temperature, is removed from a confagration, so removing
or reducing one or more elements in the above equation
prevents being at risk. However, effective PRM does include
accepting some risks, with these situations being monitored
to avoid being caught out if things change. Other situations
can be left at risk but contingency plans are ready should
risks materialise. And where real trouble lurks, urgent action
is required followed by regular audit.
TARGETING PRM IN THE RISK LANDSCAPE
Many defnitions of risk management exist but are often too
vague to be useful, such as risk is the probability of incurring
loss or misfortune. Most defnitions focus only on the
possibility of a disruptive event, such as a break in the supply
chain, but what also matters is the failure to take advantage
of an opportunity from which the organisation could beneft.
This is recognised in the UKs Offce of Government Commerce
PROCUREMENT AND RISK THE BIG PICTURE
13
1
(OGC) approach which defnes risk as uncertainty of outcome,
whether positive opportunity or negative impact.
9
As stated earlier in this chapter, procurement risk exists for
an organisation when supply market behaviour, and the
organisations dealings with suppliers, create outcomes which
harm company reputation, capability, operational integrity
and fnancial viability. This guide then defnes Procurement
Risk Management (PRM) as the name given to the measures
taken including changes to behaviours, procedures and
controls which remove procurement risks or reduce them
to what is considered to be an acceptable level.
There are a number of pre-requisites for risk identifcation to
be effective. Two important ones are the already-discussed
need to link an event to an exposure to quantify its impact,
and the need for unbridled creativity in imagining potentially
disruptive events in the frst place. A comprehensive search
for at risk situations surveys fve different landscapes where
risks may lurk:
external dependencies (e.g. supply chain robustness,
supplier viability);
market conditions and behaviours (e.g. competitive or
not; supply availability);
procurement process;
management controls;
9 www.ogc.gov.uk Achieving Excellence, Guide 4: Risk and Value
Management.

A SHORT GUIDE TO PROCUREMENT RISK 1

14
ability and agility to handle unexpected events.
External Dependencies concerns the reliance on supply
companies; their values and viability; performance, and the
durability of supply chains. Market Conditions and Behaviours
concerns the competitiveness or otherwise of supply markets;
supply availability; price trends and the regulatory context.
Procurement Process covers the way different people work
together in all decision-making and behaviours which affect
the customers dealings with suppliers. Management Controls
refers to the proper use of authority in the company; the
framework whereby it is delegated and the principles expected
to be employed. In effect this is the DNA of the procurement
process. And the Ability to Handle the Unexpected means just
what it says.
No one of the fve risk landscapes is more important than
the others. Figure 1.1 shows the Risk Catcher which keeps
the total risk management panorama in view, and the search
process comprehensive. Importantly, this integrated approach
encourages different risk specialists to come out of their silos of
operation. For example, management controls is usually the
province of the companys Chief Internal Auditor; handling
the unexpected the concern of the Risk Director; and external
dependencies the focus of the CPO. These three do not often
meet, but some joint risk catching gives them the reason to
do so. The result of a shared risk analysis will be superior to
the sum of its parts, with the bonus that non-procurement
people have their eyes opened to the risks and opportunities
presented by supply markets.

PROCUREMENT AND RISK THE BIG PICTURE

15
1
In the next fve chapters, each of these risk landscapes is
considered in more detail. We start with the subjects most often
written about, namely, a companys dependence on external
supply chains and its exposure to hostile market conditions.
Then follow two less fashionable topics less fashionable
only because little is written about them. This may refect
the fact that they are not truly understood or that they are
not held to be important. The opposite is true. Procurement
Process and Management Controls are highly potent sources
of risk, and all the more so if believed to be not relevant. The
fnal topic deals with the occurrence of unexpected events
and how some people and companies are better than others
at handling them.
Each chapter provides examples of potential risks and what
the remedies look like. Whilst this is useful, there is the danger
that only the symptoms of problems will be fxed rather
than their root causes. Hence, once the more concerning at
risk situations have been dealt with, it is important to make
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Procurement Process
External Dependencies
Handling the Unexpected
Market Conditions and
Behaviours
Management Control
Figure 1.1 The Risk Catcher
A SHORT GUIDE TO PROCUREMENT RISK 1
16
further changes which create a working climate and culture
where PRM is a fact of day-to-day life rather than a specifc
task only revisited when the risk register needs updating. Thus
the next fve chapters also present the underlying principles
of risk prevention appropriate to each risk landscape. These
ensure a proactive approach to PRM where risks are less likely
to materialise and do harm, as distinct from reactive PRM
where disruptions are allowed but where harm is prevented
by the safety net of contingency plans or by being quick on
ones feet.
When done well, a high-performance risk-aware procurement
process provides the bonus of competitive advantage, with the
ability to capitalise, rather than suffer, from the occurrence of
unexpected events. This short guide explains how to do it. But
before delving further, it is necessary to take stock of where
an organisation currently stands vis--vis PRM best practice.
Box 2 offers the means of a frst self-assessment.
BOX 2
PROCUREMENT RISK MANAGEMENT:
SELF-ASSESSMENT OF PRM
PREPAREDNESS
Assess your companys PRM-preparedness by testing
against the following criteria (1 = low, 5 = high)
Procurement Process
Procurement is non-existent as an identifable defned process
in the company.
Procurement behaviour is streetwise and deal-oriented but with
little structure or functional infuence.
1.
2.
PROCUREMENT AND RISK THE BIG PICTURE
17
1
Internal IT systems offer visibility of the supply chain.
Procurement activity is procedures-oriented and focused on
internal customer service, albeit responsive to need.
Requisitions (timing and quantity) are driven by the companys
daily operations planning system.
IT systems have basic supplier information feeds and basic risk
models are in place.
Procurement activity relies heavily on leverage and muscle-
power.
Requirements are defned by the planning system and/or by
commercially sensible considerations.
Decision-making is supported by analytical tools and an
effective information system infrastructure.
IT systems provide real-time feeds on the status of goods
within the supply chain.
Procurement is a core cross-company process integrated into
the company strategy and designed to maximise sustained
shareholder value. Comprehensive costed risk models are
maintained and frequently updated.
External Dependencies
Orders and contracts are casual or ad hoc and are usually on
suppliers terms and conditions.
Purchases are often made by non-purchasing people with
few, if any, records of transactions made.
All suppliers are treated the same way, although some get more
attention than others. Activity is today orientated.
There is a legal basis for contracts placed.
Supply chains are generally understood and selective contracting
strategies are used.
Few, if any, contract loopholes exist and supplier performance
is monitored.
3.
4.
5.
1.
2.
3.
A SHORT GUIDE TO PROCUREMENT RISK 1
18
Key supply chains are understood in detail. Supplier relationships
vary from arms-length to close collaboration.
Vulnerability Analyses have been completed and contingency
plans are in place.
An active and productive Supplier Relationship Management
programme is in place. PRM is comprehensive.
Management Controls
Nothing is codifed all decisions and actions are intuitive
and/or require top level approval.
Basic business standards, principles and policies are defned.
A framework for Authority Delegation may exist but is most
likely to be out of date.
As 2 but the policies and authorities are regularly reviewed and
updated.
Specifc controls are defned which relate to the procurement
process.
Functional authorities are clearly specifed (in terms of purpose
and clarity).
As 3, plus authorities are substantial and refect an empowered,
skilful culture.
Procurement emphasis is on acquiring best total return on
acquisition costs.
As 4, plus procurement policies are all-embracing (i.e. they
apply to all company personnel).
Market Conditions and Behaviours
The customer company (i.e. yours) generally feels helpless and
is glad to get what they can.
The customer company is vulnerable to supplier sales tactics.
Deals are the suppliers standard offering, but may be
cosmetically enhanced to please the buyer.
4.
5.
1.
2.
3.
4.
5.
1.
2.
PROCUREMENT AND RISK THE BIG PICTURE
19
1
Market distortions are understood and effectively
counteracted.
Fundamental drivers of supply costs are understood and
trends are monitored.
Measures are in place which refect awareness of the possibility
of fraud and unprincipled supplier behaviour.
For key requirements, strategies are in place to infuence supply
markets and to elicit desired market responses (e.g. Reverse
Marketing).
Handling the Unexpected
We know that the unexpected can happen but we hope that it
wont.
Logical contingency plans are in place but tend to be specifc
to a contract.
Comprehensive PRM is in place.
By defnition this includes strategies and contingency plans
for all identifed critical suppliers in terms of proft impact.
The company organisation exhibits the characteristics of High-
Performing Teams and is agile yet goal-oriented when addressing
unforeseen events.
IT systems monitor numerous aspects of the supply chain over
and above materials fow. Examples are supplier solvency and
natural catastrophe alerts relevant to the supply chain.
Not possible as no one can predict everything that might
happen! The gap between 4 and 5 represents the space for
the random event to materialise.
3.
4.
5.
1.
2.
3.
4.
5.
A SHORT GUIDE TO PROCUREMENT RISK 1
20
FURTHER QUESTIONS FOR URGENT
ATTENTION
How many of the undesirable events shown previously
in Box 1 do we experience and what are we doing about
them?
Do we know which are our key supply chains and what
potential events they are vulnerable to?
Have we specifcally evaluated how our corporate strategies
and business plan can be helped or harmed by supply
market events?
Do we have a systematic process for identifying and
evaluating procurement risks?
Is our procurement process segmented into silos or does
it lean more towards being a continuum of parallel
operational and commercial activity?