1MILANO, 6 APRILE 2017

Marco Santino @ PEC 2017

Leve per il Procurement di domani:Gestione dei rischi della Supply Chain

2

Supply chain risk management increasingly importantIncreasing risk exposure and supply chain vulnerability demand systematic approach

• "Optimized" supply chains:

Lean supply chain with lower buffer inventories

• Complexity of product range and technical equipment:

Increased purchasing variety with higher supply network

complexity

• Outsourcing:

More actors along the flow, dependencies and

interconnections

• Global flows:

Larger and more complex manufacturing network,

resulting of last 20 years evolution

Source: Center for Research on the Epidemiology of Disasters, BCG

Stronger supply chain vulnerability

• Natural disasters almost tripled and man-made disasters

increased by 50% since 1970

• Recent events with supply chain impact include:

Increased risk exposure

Natural

events

Organized

strikes

Plant

explosion

Market

downturn

All industries are impacted

3

Different "type" of risks to consider

Source: BCG

Operational

risks

Geopolitical

risks

Catastrophe

risks

Market

risks

Strategic

risks

Financial

risks

Supplier

risks

Increasing manageability of risk

4

Political instability: BIG impact on global supply chains

Source: Press Clippings

Impact on Procurement

• Need to anticipate impact and put in place

contingency plans

• Negotiate flexible deals or shorter term contracts

to accommodate political / regulatory risks

• Need to design flexible supply chains

• Need to carefully plan for a correct risk allocation

and more sophisticated formulas (currency risk,

inflation risk, commodity price volatility risk, etc.)

• On longer term contracts: work with finance and

consider hedging models

• Increase buffer inventory

• Prepare for changes in tendering regulations

• ...

5

"The Supplier shall remove and/or disable, through

software, physical disconnection, or engineered barriers....

"The Supplier shall disclose the existence of all known

methods for bypassing computer authentication...."

What's next? Cyber security ...now part of the procurement agenda

The risk is spreading also in unexpected fields ...

Example: Energy Delivery System

In 2016 a trio of highly trained hackers baited the employees

of an electric utility north of Seattle. They had a bite in 22

minutes

Supervisory control and data acquisition systems and other

automation tools are becoming the norm as utilities

modernize their grids

However, many of those energy delivery systems "are

configured with default accounts and passwords that are

sometimes publicly available"

Unused and unnecessary software and services in energy

delivery systems and components that are left enabled can

pose potential entry points for exploits, especially if they

are not monitored

...and is also Impacting Procurement

Source: Cyber Security Procurement Language for Energy Delivery Systems, US Department of Energy

6

Need a comprehensive, objective, balanced approachFocus should be on both short term and long term decision making

• Cover all relevant risks

• Covers systematic,

unsystematic, component and

commodity risks

• Relevant across all types of

suppliers (International, Large

domestic players, SMEs, JV /

non JV)

Comprehensive

• Standard list of metrics

• Defined number of

comprehensive metrics

• Most metrics with objective,

data-based assessment

• Standard measurement and

scoring systems

• Standard action library

Objective(Enables Common Vocabulary)

• Focus on both strategic and

operating metrics

• Aims to manage short term

production interruptions and

challenges

• Also focuses on managing long

term supply risks at

component level

Short term &

Long term

• Creates a portfolio level view

with all important decision

inputs

• Prioritize on the basis of

severity and impacts of risks

• Links risk assessment to action

library

Focus on

decision making

7

Time to adopt holistic Supplier Risk Mgmt approaches To anticipate, analyze and mitigate disruptions early on

Supplier risk

Supplier

leverage

Demand-

Supply

ImbalanceComponent

criticality

Prediction Mitigation

Define

Commodity Risk

Risk

Analysis

Events database

Actual Supply Failure/Price failure/untracked unsystematic event

Supply Risk

(Component risk)

Commodity

Risk

Event occurs

Update

Update

Prediction efficiency feedback Mitigation efficiency feedback

Action

guide

• Supplier plan (e.g.

funding)

• Internal actions (e.g.

inventory, SoB)

• ....

Short

term risks

Long

term risks • Supplier plan (e.g.

Part/ vendor

development, Supplier

investment)

• Internal action (e.g.

insurance policy)

Short term

mitigation

Long term

mitigation

• Spare capacity

• Time to add capacity

• Financial risk

• Operating risk

• Location risk

• Supplier/OEM

dependency

• OEM demand –

short/long term

• Unsystematic risk

1

2 3 4

8

5 6 7

9

10

11

13

MSIL Framework 20120924T0846+0530.pptx 9Draft—for discussion only

Co

pyr

ight

© 2

012 b

y T

he B

osto

n C

onsultin

g G

roup,

Inc.

All

rights

reserv

ed.

Component 1

Lead time to develop

new capacityLow

Component level dashboard will be created to reflect the

overall risks and arrive at action steps at the component level

low riskmedium riskhigh risk

Supplier LocationSupply

Lead Time

Q/D

ratingDependence

Supplier

Criticality ScoreRisk ratings

Risk mitigation

steps

Suppliers Ours

Supplier

001xxx 14 days AAA 10% 70% Low

Supplier

002xxx 3 days ABB 65% 15% High

Average

cycle

time for

delivery

Quality

and

delivery

rating

The final

actions based

on action

library /

supplier &

component

criticality

Dependency

matrix

How critical is

this supplier

overall to us

including other

components

that she

supplies

Risk scores

across various

sub-categories

of risk

Component

CriticalityLow

Buffer Capacity available

in the industryHigh +

List of all suppliers

along with their

location

9A

12

• Internal actions to

reduce impact of risk

• Supplier actions to

reduce probability of

risk

Likeli-

hood

Impact

Likeli-

hood

Impact

+

+

+

+

+

A

B

C

Measurement

8

Define a dashboard of Key Risk Indicators (KRI) ...

Socio-political risks

Examples Pragmatic KRIs

• Political stability

• Political independence

• Separation of power

• Corruption

• Criminality

• Expropriation

• Strikes

• Country risk rating (e.g.

World Bank)

• Corruption index

• Criminality index

• Population satisfaction

rating

• History of strikes

1.1

1.2

1.3

Source: BCG example

Legal risks

Examples Pragmatic KRIs

• Export restrictions, tariffs

• Tax discrimination

• Labor policies

• Grants and subsidies

• Environmental regulation

• Tax rates

• Foreign relations

assessments

• Frequency of regulation

change

Infrastructural risks

Examples Pragmatic KRIs

• Power

• Transportation

• Telecommunication

• Infrastructure coverage and

quality rating

• Infrastructure investments

Environmental disasters / extreme weather

Examples Pragmatic KRIs

• Flood

• Earthquake, tsunami

• Tornado, hurricane, typhoon, monsoon,

blizzard, ice storm, hail

• Avalanche

• Drought, heat wave, wild fire

• Epidemic, famine

• Number of hazardous

geographical locations

• Past incidents of natural

disasters

Man-made disasters

Examples Pragmatic KRIs

• Accidents

• Fire

• Explosions

• Spillage

• Accident rates

• Dry zones

• GDP

Violent acts

Examples Pragmatic KRIs

• Military coup d'etat / Revolution

• Terrorist attack

• (Civil) War

• Vandalism

• Population satisfaction

rating

• Foreign relations

2.1

2.2

2.3

Geopolitical risks Catastrophe risks

high priority indicator

9

Metric TypeData

Source

Who will

update?

Update

Freq1 Scoring Logic

History of vendor approaching OEM for funds

(working capital/advance payment) in last

12 months

#

OEM

internal

data

Buyer 3Red = > 2 times or greater than 10% of annual turnover

Yellow = Between 1-2 times or <10% of annual turnover

Green = 0

Current ratio (Current assets / Current

liabilities)Ratio

Annual

report

Vendor upgrade

team12

Red = < 1

Yellow = between 1 & 1.5

Green = > 1.5

Short Term Credit rating (Crisil, D&B, Cibil,

CARE, ICRA)Rating

Public

source

Vendor upgrade

team6

Rating by different agencies is clear in terms of high risk/ medium risk /

low risk

Interest coverage ratio (PBIT/Finance

charges)Ratio

Annual

report

Vendor upgrade

team6

Red = <1.5

Yellow = between 1.5 and 2

Green = > 2

Is vendor paying his tier 2/3 vendors in

time?

Yes/No

Months

Feedback

from tier

2/3 supp

Central source

6

Red = Tier 2/3 vendor has complained to OEM. Else,

Red = > 3 month delay

Yellow = Between 1 to 3 months

Green = < Less than 1 month

Is vendor paying employees in time?Yes/No

Months

Supplier

auditBuyer 3

Red = >1 month delay

Yellow = Between 2 week to 1 month delay

Green = < Less than 2 week

Is vendor maintaining adequate RM/ FG

inventory

Yes/No

Shortfall %

Supplier

auditBuyer 3

Red = If shortfall > 50% of his expected inventory

Yellow = 25%-50%

Green = < 25%

Choice of payment cycle by vendor10 /30

days

OEM

internal

data

Finance / Buyer

6Yellow = 10 day payment cycle

Green = 30 day payment cycle

...with agreed metrics and scoring system in place

Define hard & soft indicators;

objective and simple

1

Define how to capture the data

and the update frequency

2

Define uniform scoring logic which

can be codified for automation

3

Example: Liquidity risk

1. In months

5.3

10

KRIs set to assess specific supplier risk...For suppliers in high risk component categories

Geopolitical

risks

Catastrophe

risks

Market

risks

Strategic

risks

Financial

risks

Operational

risks

Sociopolitical risks

□Country risk rating

□Corruption index

□Criminality index

Environ. disasters

□Past incidents of

natural disasters

Macro-econ. devel.

□GDP (growth)

□Employment rate

□Inflation

□Gini index

SC structure

□# of alternative

suppliers

□Supply / demand

situation

Profitability

□EBIT

□Net profit margin

□Cash conversion cycle

Process / org. risks

□Infrastructure rating

Legal risks

□Tax rates

□Frequency of

regulation change

Man-made disasters

□Accidents

□Dry zones

Market price devel.

□Commodity indices for

major used

components

Industry concentr.

□Market share

□# of clients

Funding

□Current ratio

□Rating

□Debt / equity ratio

□RoE, RoA

Personnel risks

□Employee age

□Level of education

□# of labor unions

Infrastructural risks

□Infrastructure

coverage and quality

rating

□Infrastructure

investments

Violent acts

□Population

satisfaction rating

□Foreign relations

General strategy

□Image ranking

□Contract duration

Liquidity

□Credit lines

□Cash position

□Refunding rates

□Liabilities

□Liquidity plan

Technological risks

□Age of machinery

□Facility restoration

to be assessed for countries

in which supplier has production facilitiesSource: BCG

to be assessed for supplier itself

11

Supplier 1

... and create discrete supplier risk profilesDetailed understanding of supplier-specific risks

Geopolitical

risks

Catastrophe

risks

Market

risks

Strategic

risks

Financial

risks

Operational

risks

Sociopolitical risks Environ. disasters Macro-econ. devel. SC structure Profitability Process / org. risks

Legal risks Man-made disasters Market price devel. Industry concentr. Funding Personnel risks

Infrastructural risks Violent acts General strategy Liquidity Technological risks

Source: BCG

Total supplier risk score

low riskmedium riskhigh risk

1.1

1.2

1.3

2.1

2.2

2.3

3.1

3.3

4.1

4.2

4.3

5.1

5.2

5.3

6.1

6.2

6.3

12

Detail risks by expected loss and manageability...For high risk suppliers only

Low

High

HighLow

Expected loss

Medium

Medium

1.1

How easily can the risk be managed and

how costly is it?

• Can we reduce the probability

of occurrence?

• Can we reduce potential losses?

• What are the costs of implementing risk

mitigating measures?

• Which frequency is needed for measure

implementation?

• Which resources are required?

• What are monitoring costs?

Manageabilit

y o

f ri

sk

Manageability of risk

Risks

Actively manageTransfer/Hedge

Accept

Avoid exposure/

contingency plan

5.3 4.2

5.13.3

1.1

2.3

1.2

4.3

6.1

3.1

6.3

1.3 2.22.1

3.2

4.1

5.2

6.2

1. Risk factor coming from previous risk assessment; Expected impact (e.g. production downtime) to be assessed with OEM experience ; Source: BCG

Risk factor x expected impact1

Expected loss

Supplier 1

13

...in order to develop concrete mitigation strategies

Actively manage

Reduction of

• probability of risk occurrence

• potential damage

Transfer / hedgeTransfer of risk to external third

parties

Company carries risks that cannot

be reasonably reducedAccept

Avoid exposure/

contingency plan

High risk factor, but not

manageable

Source: BCG

Type of measure Description

1

2

3

4

•Help supplier reduce risk

•Keep inventory

• Insurance companies

•Multiple sourcing

•Prepare fall-back options (dual sourcing, stock

keeping,...)

•Coverage with liquidity and stock reserves

•Vertical integration

•Multiple sourcing

•Geographic diversity

•Avoid LCC countries / concentration

Sample mitigation actions

14

Early warning systems use key trigger events Checklist for early warning signs

Source: BCG

Geopolitical

risks

Catastrophe

risks

Market

risks

Strategic

risks

Financial

risks

Operational

risks

□ Political activities /

elections

□ Strikes

□ New legislation /

regulation

□ Major

infrastructural

failures (power

outings etc.)

□ Natural disasters

□ Major accidents

□ Riots

□ Price development

of commodity

markets

□ M&A activities

□ Bankruptcies

□ Major invest-

ments, new plant

openings

□ Volume problems

□ Profit problems

□ Liquidity problems

□ Change of payment

terms

□ Downgrading of

rating

□ Frequency of

complaints in

day-to-day

business

□ Major out-

placements

□ Quality problems

□ Management

changes at

supplier

15

Technology: a great enabler of advanced approachesCase Example: Digital control tower provides real time visibility for supplier risk mitigation plans

Source: BCG experience

• Event: Midwest Flooding 2013

• Level of Impact: High (3)

• Location: Midwest US

• # of Client Facilities Affected: 99

• # of Suppliers Affected: 1234

Situation

Digitally enabled view of impact and mitigation of supply chain disruptions

Caterpillar Assurance of Supply Center allows quick evaluation of impact of

unforeseen events and elaboration of mitigation plan

16

Some best practices

Source: BCG

Need people who recognize risk management as part of their day-by-day-jobs

• Separate team or (better) integrated into buyer roles

• Dedicated capacities and IT systems

Need to link supplier risk management to overall supplier relationship management

• Supplier relationship management can go a long way in reducing supplier risk

Need to identify and constatnly challenge main drivers of supply chain risk

• A lot of factors seem to matter

• Takes time to identify those that really drive risk

Need to focus on taking action vs. assigning traffic lights

• Tendency to get caught in analysis

• Clearly defined process with timetable for completing each step helps to avoid

17

"History will teach us nothing" ?How failing to manage and monitor risk can be the difference between success and failure

In 2000 Royal Phillips Electronics, a major supplier of cellular phone chips, an industry

operating at capacity, experienced a factory fire

• Initial damage appeared minimal which Phillips communicated to suppliers

• After two weeks, Phillips realized it would take 6-8 weeks to fully resolve

Nokia responded quickly and effectively...

• Had a sophisticated disaster recovery plan: category manager noticed a problem prior to any notification from Phillips

• Issue was quickly escalated to the executive level and cross functional emergency team was set up

• The team was able to shift sourcing to other suppliers and other Phillips plants

• Production was minimally affected

... but Ericsson did not have a disaster recovery plan in place

• Ericsson did not act quickly, alerting the division president only after 5 months

• Ericsson was caught off guard when Phillips announced additional delays, causing operations to stall

• Ericsson's mobile phone division suffered a $2.3B loss in 2000(In contrast the damage to Phillips was less than $50M in lost revenue)

Source: Financial Time Press;Michelman 2005; Worldwide Mobile Handset and Subscriber Statistics 2003; BCG analysis

Nokia and Ericsson

market share ('98-'03)

0

10

20

30

40

Nokia

Ericsson

Market share (%)

'98 '99 '00 '01 '02 '03

Date of fire

18

bcg.com