Creating a World-Class Supplier Risk Management Program

Published: September 28, 2020 by Gary Stockton

One of the biggest concerns for procurement and supply chain professionals today is mitigating supplier risk. With regulatory and compliance fines increasing and global markets still reeling from the one, two punch of a trade war followed by the pandemic. Having a robust supplier risk assessment program in place is more critical than ever. Gerard Smith is the President and Co-founder of Global Risk Management Solutions, a leading provider in supplier risk management. In this interview, we talk about what it takes to put together a world-class supplier risk management program.

Has there been an evolution in how companies are managing supplier risk?

Twenty years ago, when I was in procurement, many organizations self-performed everything. In other words, they collected documents and validated them as best as they could. The issue today is with COVID. With COVID, many companies are concerned. The two things we keep hearing about is the financial stability of the suppliers. Are they financially stable? Not only today, but in the foreseeable future, and secondarily, do they have insurance to protect the client company if there are any errors. So, it’s the financials currently, and the insurance companies are most concerned about monitoring.

Why is supplier risk management getting so complicated? 

Well, it’s because companies are starting to source globally, and more and more companies are concerned about the supply chain and if there are issues, whether geopolitical or whatever the case may be. So the idea here is to manage supplier risk proactively, and so there are three components of that. First, based on a client’s requirements – the ability to do the risk assessment based on specific risk components. Second, having a help desk to try and troubleshoot where there are issues with the suppliers to help them to get into compliance. And third, most importantly, being able to monitor those suppliers for changes in status and getting actual push alerts, to be able to act on those. So, in other words, getting in front of the problem versus finding out that a supplier perhaps filed bankruptcy or showed up on a government watch list or something like that.

What components should be in a world-class supplier risk assessment program?

There are five components if a company is looking at their program and want to see what a world-class program represents.

Customized Risk Program

The first one is that it needs to be customizable in terms of which the risk components themselves. So, it could be based on geography; maybe there are different requirements in EMEA than there is in APAC or whatever the case may be. It may be based on spend. I want a deeper dive into my strategic suppliers because I spend more with them than non-strategic. It could be based on risk or a variety of other factors, but the objective here is it cannot be a one size fits all. It has to be customizable.

Adjudicating Information

The second component has to be able to adjudicate the information. What that means is clearing false positives. A false positive in our world is that it has selected the wrong company. If you put Bob’s Plumbing into a platform, you may get a hundred choices. The question is which Bob’s Plumbing is your company working with? It has to be able to pick the correct one and triangulate the information.


Reporting capability can provide consistent, measurable compliance standards. So that means having real-time, standardized reporting of current risk ratings, to be able to report to management precisely who’s in compliance and who’s not, and why not? What are the issues that we’re dealing with in terms of your supply chain in real-time?

Document Verification and Monitoring

It’s easy to collect and manage documents, but it’s hard to validate documents. That’s the problem that the procure to pay and source to pay companies have, and even the ERP platforms have. If you ask a supplier to upload a document in any of those platforms, the reality is, no one looks at it, and as a result, it literally could be a blank piece of paper. You need to be able to have a system or process where you can validate documents, whether it be the certificate of insurance, the W9, whatever the case may be.

Continuous Monitoring

Continuous monitoring is the ability to manage suppliers in real-time. The biggest one is financial stability. Being able to manage and monitor suppliers so that if a supplier starts to get into trouble, the company stops issuing purchase orders because perhaps they can’t perform to those purchase orders.

What are the most important risk components that companies need to be aware of? 

There eight different rick categories. The risk components that companies should at least address within their program.

Financial Stability

Financial stability is monitoring financial stability in real-time and be able to identify if there are issues whether they are getting in worse financial shape or perhaps getting in better financial shape.

Digital Insurance Verification

The best practice right now is what’s called digital insurance verification. We’re able to manage insurance coverage electronically. We don’t even have to collect a certificate of insurance anymore. We can do it digitally in North America. That means that we can monitor a supplier to ensure that they continue to have the insurance requirements daily, which is a unique situation. So you want to make sure, at a minimum, you collect the certificate of insurance. If you want the best practice, you do digital insurance verification.

Reputational Protection

We do global adverse media monitoring. So as an example, we manage over 25,000 media sources around the globe looking for negative stories because you want to know if your supplier is caught with child labor, or if they’ve closed a facility somewhere in the world that you’re reliant upon. So adverse media is very big at this point because things are evolving very quickly.

Regulatory Compliance

Regulatory compliance is basically anything that’s government regulation. So, it could be the various sanctions lists. Most people don’t recognize there are over 1500 watch and sanctions lists around the globe including the U.S OFAC list. That’s a big one. It can be a Conflict Minerals Declaration, U.K. Modern Slavery Act, Reach ROHS, the California Transparency Act, anything that’s a government regulation falls into that category.

Cyber Security

Cyber Security would be anything that’s involved with data and document verification. It has to be able to collect and validate not only the documents such as a code of conduct, but documents with an expiration date such as an NDA or a diversity certificate. Any standardized documents should be part of the program so suppliers don’t get continuously contacted for more documents.

Social Responsibility

Social responsibility could be anything from diversity verification, child labor, those types of things.

Health and Safety

Finally, health and safety could include an HSC questionnaire,  EMR ratings, or OSHA statistics.

Those are eight areas that companies should at least consider looking into as far as potential risk components. Obviously, there are different parts of each, one of those where those are the broad categories.

Is it possible to do supplier risk assessments throughout the world? How reliable is the data?

That’s a good question. And the answer is, it depends on what country we’re speaking of. Is the information available? Yes, there are varying degrees of information. You can get more information in North American and EMEA than you can say in APAC or South America. Is it available? Absolutely. We can do a supply risk assessment in over 120 countries. So, it is possible to get information. There is standardized information in terms of the adverse media I spoke about. The watch and sanctions list, those are all global. There’s a variety of things that can be managed globally. Some of it, in terms of the financial, for instance, it depends on which country we’re talking about and how much information can be obtained within that country, and secondarily, whether it can be monitored on an ongoing basis. Again, it depends on which country we’re speaking about.

Watch our On-Demand Webinar

If you would like to hear more about GRMS, watch our on-demand webinar Mitigating Supplier Risk in A Changing World.” Gerard goes into greater detail on best practices and how you can proactively manage supplier risk management while staying resilient and the new normal.

Mitigating Supplier Risk in a Changing World Webinar

Follow Us!

Subscribe to our blog

Enter your name and email for the latest updates.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

About this blog

The latest insight, tips, and trends on all things related to commercial risk by the team at Experian Business Information Services. Please follow us on social media.

Stay informed by subscribing to this blog

Sign up for email notifications when new content has been published by Experian Business Information Services.
Sign Up