Skip links | Site map | Contact us | Feedback | Accessibility | Full graphics | Text size: A | A | A
Search our Site
  • An upside to the downturn

    • Free trial issue

    Receive a free copy of CPO Agenda magazine

    .

    Risk management

    An upside to the downturn

    Current economic conditions give CPOs the chance to build an organisation that not only protects against the downside of purchasing-related risks but also captures the upside

     

    Spring 2009

     

    by Stephen Finch, Ashley Hubka and Grégory Kochersperger

     

    Upside
    Illustration: James Fryer

    With markets and economies in turmoil, boards and top management are acutely focused on risk and risk management. For CPOs, the consequences of risk are all too clear: supplier bankruptcies leave purchasing departments scrambling to find alternative sources to avoid disruptions in production schedules; record volatility in raw material markets calls established hedging policies into question; while suppliers pressured to reduce costs further may cut corners on quality standards or miss delivery dates.

     

    Today, CPOs are expected to deliver more, even as their resources are being scrutinised and potentially reduced. But trying times also present opportunities. While they have a responsibility to reduce purchasing spend and manage purchasing-related risk exposure, if they approach risk management in the right way they can open up new avenues for growth and build competitive advantage. For CPOs – and their companies – there’s an upside to the downturn.

     

    Oliver Wyman, an international management consultancy, partnered with CPO Agenda to assess the current state of purchasing risk management, to identify concerns and best practices, and to offer guidance to CPOs charged with delivering results and developing their organisations’ capabilities to deal with the new reality.

     

    Drawing on a study of 150 companies in late 2008 and early 2009, including over 70 hours of interviews with senior executives and procurement leaders we found:

    • widespread vulnerability to purchasing-related risks – most importantly, strategic, operational and financial risks;

    • a belief that most types of purchasing-related risks will increase in importance over the next five years;

    • significant variability in the level of organisational maturity in dealing with purchasing-related risks;

    • many companies struggling to build a culture of risk awareness, embed risk management in day-to-day purchasing activities, and address risk in analytically robust ways;

    • few world-class companies using cross-functional and integrated approaches to manage purchasing-related risks as a core business issue.

     

    In this article, we offer a new way to look at risk; a framework to assess the maturity of your company’s risk management capability; specific steps to master the fundamentals and manage the downside; and best practices to drive world-class performance and capture the upside. 

     

    Vulnerability/opportunity: the two faces of risk

    Purchasing-related risks are not new. But as companies and their markets have become more global and more complex, the potential impact of these risks has increased. Purchasing-related risks can now affect the business as a whole to a much greater degree and damage the key drivers of corporate performance: costs, revenues, and even the viability of the business. This broader impact stems from a number of factors.

     

    First, many companies now manage supply chains that span the globe to take advantage of low-cost country sourcing. This introduces new sources of transportation, security and cross-border risk, with 57 per cent of companies surveyed indicating that low-cost country sourcing had increased their risk level. Second, suppliers are responsible for a greater range of products and services today than in the past as companies have outsourced non-core activities; 38 per cent of respondents said outsourcing had also increased their risk level. Third, development and execution cycles have been compressed, leading to more sole or single-source arrangements to meet aggressive deadlines. One executive wryly noted: “As we’ve reduced the supplier base, we’ve become so reliant on something that we cannot control that it’s difficult to manage the business.”

     

     

    [ Zoom ]
    Figure.1

    Tumultuous economic conditions exacerbate the situation and expose purchasing-related risks that were previously hidden. As figure 1 shows, senior executives and purchasing leaders are most concerned with operational, financial and strategic risks. Moreover, companies surveyed believe that their purchasing-related risk profile is likely to increase over the next five years: 68 per cent saw the importance of financial risks increasing; 54 per cent saw strategic risks rising; and 48 per cent saw operational risks increasing (see figure 2).

     

     

     

    [ Zoom ]
    Figure 2

    In this context, many CPOs will empathise with a purchasing executive from a building materials company who said: “Under normal business conditions I would be fairly confident with our risk management processes. But, given the adverse economic conditions, I don’t have a good feeling… only time will tell.”

     

    Nevertheless, there is often a hidden upside to many risks for those companies prepared to act creatively to turn potential adversity into advantage. Treating purchasing-related risks as business issues, looking across the value chain and making “front to back” connections (R&D and manufacturing to sales and end customers) allows the commercial side of the business to anticipate and adjust more rapidly to changes in the purchasing environment – and vice versa. The result is greater customer responsiveness, faster revenue growth and new sources of innovation, as well as better downside protection and cost control.

     
    Consider a few concrete risks:

     

    Strategic risk: managing external alliances to accelerate growth. Many companies judge the risk of losing product formulations or intellectual property to suppliers to be too high to build deep, mutually beneficial strategic partnerships. As a result, they bear the full costs of research and development. By contrast, Procter & Gamble has set an aggressive target of half of its total innovation to come from external sources. The company is already enjoying a payoff in terms of new product introductions and formulations brought by, or developed in conjunction with, suppliers, lowering the development cost per product and increasing the range of new ideas to test with customers. P&G manages the inherent risks through careful partner selection and a business system that aligns all parties’ interests.

    Operational risk: sharing risk to lower costs and improve supply security. The downside associated with operational risks is a familiar litany – late delivery, non-delivery, poor quality – each of which affects internal operations, resulting in lost revenue, reduced profitability, delayed introduction of a new product, or damage to the brand. During the tech boom, Hewlett-Packard faced a shortfall of memory devices used in its highly profitable printers, threatening to upset customers and investors with missed shipments. To address this supply problem, HP created its Procurement Risk Management (PRM) programme. This uses sophisticated analytics to segment projected component volumes into different tiers. HP then negotiates with suppliers to match the component’s price to the strength of HP’s volume commitment.

     

    For example, for core demand, HP will negotiate a low price and offer a guaranteed purchase volume to the supplier. For less certain demand, HP accepts a higher price but does not commit to fixed volumes. For highly uncertain demand, HP meeets its needs on spot markets. The value of this approach is that demand risk is shared between HP and its suppliers, with those bearing the risk receiving the rewards. Through PRM, HP has saved over $100 million and has become a “customer of choice” when supply markets get tight, creating a powerful competitive advantage.

     

    Financial risk: using input price volatility to increase margins and sales. Of those companies surveyed that indicated financial risks were the most important, only 38 per cent systematically passed input price increases through to customers as a risk mitigation strategy. Compared with hedging, contract terms and conditions, and other technical instruments, pricing is often an underplayed financial risk mitigation tool.


    Faced with an impending increase in raw materials prices that, unabated, would have more than halved its Ebitda (earnings before interest, taxes, depreciation and amortisation), an industrial products manufacturer with which we have worked used the crisis to implement a new pricing approach. Rather than leave the problem to be dealt with independently by each country and category manager, the company rapidly built a central pricing capability. The result, visible less than two months later, was a set of industry-leading price moves based on a deep understanding of price sensitivity by country and channel, an integrated view of costs and margins, and a co-ordinated perspective on each competitor’s likely pricing moves.

     

    Not only was the cost increase more than offset (unlike many competitors, the company improved its margins in this period), but the new capability served as the catalyst for an ongoing series of highly profitable top-line initiatives.

     

    Hazard risk: turning supply risk into revenue growth. When Hurricane Mitch devastated banana plantations in Honduras, Nicaragua and Guatemala in 1998, Dole and Chiquita experienced strikingly different consequences. Dole lost 25 per cent of its global capacity and suffered shortages for more than a year. In contrast, Chiquita had already recognised the risk of being dependent on the region and had developed secondary sources elsewhere before the storm hit. Unlike Dole, Chiquita quickly moved to tap its alternative sources and increase production in other locations.

     

    The net result was that Dole’s revenues decreased by 4 per cent for the year, while Chiquita’s increased by 4 per cent. Dole’s risk management practices did not protect it from a costly downside, while Chiquita’s allowed it to maintain its growth.

     

    What these examples show is that approaching purchasing-related risks from a business, rather than functional, perspective can generate opportunities for value creation. But capturing the upside requires that purchasing be tuned to a customer and competitive perspective and work closely with other functions such as R&D, manufacturing and sales – a significant shift in intent, approach and capability. Indeed, all elements of the purchasing function (strategy, process, organisation, resources and systems) must be enhanced.

    Levels of maturity

    Through our client work and recent research, we have observed significant variability in the level of organisational maturity in dealing with purchasing-related risks. Based on these interactions, we have developed a risk management maturity framework, as shown in figure 3.

     

    “Unstructured” companies (those at level 1) react in an ad hoc manner to each risk as it arises. “Reactive” (level 2) companies have predefined processes to respond if a risk rears its head. “Proactive” (level 3) companies establish approaches and contingency plans to anticipate and counter their highest priority risks; they are highly competent at downside protection. “Cross-functional” (level 4) companies, meanwhile, approach risk management in a strongly integrated manner, collaborating closely both internally and with suppliers. And at level 5, “value-creating” companies systematically seek to exploit the upside and view purchasing as a full partner in addressing strategic issues, driving growth and creating new value, not just as a contributor to cost competitiveness.

     

    As figure 4 shows nearly all of the companies in our recent research fell between levels 1 and 3. Attaining a solid level 3 proactive capability is, we suggest, the minimum performance standard required to control the costs of purchasing-related risks, and has become a critical organisational competency. Levels 4 and 5 represent an opportunity for further improvement for businesses that have mastered the fundamentals of risk management.

     

    [ Zoom ]
    Figure 3

    Comparing the two ends of the spectrum on five organisational dimensions provides a clear understanding of the differences between companies still working to control the downside and those beginning to capitalise on the upside.

     

    Strategy. Level 1 companies accept risk as a cost of doing business and lack even the most basic risk management approaches. Level 2 and 3 companies focus on implementing adequate risk management structures and processes to control costs. A marked shift in mindset and capabilities takes place after level 3, with levels 4 and 5 representing an emerging frontier of performance where the goal is to use tightly integrated processes to create value and build competitive advantage.

     

    Less mature risk managers tend to focus on a small number of well-understood operational and financial risks, such as quality, on-time delivery and bankruptcy. More mature risk managers address a broader set of business-specific risks and, importantly, devote more attention to strategic risks. Among companies that indicated strategic risks were a high priority but that those risks were not formally managed, 37 per cent said it was because they were uncertain how best to handle them.

     

    Processes. An adequate risk management process links four steps:  

    1. Risk identification.Identify which risks are likely to affect the business and document their key drivers and characteristics.

     2. Risk qualification and quantification. Assess the probability and likely impact of identified risks on key performance metrics (eg, earnings or cash flow at risk).

    3. Risk response. Develop strategies to respond (avoid, transfer, mitigate, accept) consistent with the company’s overall risk appetite, the portfolio of risks to be addressed, and the need to deploy resources efficiently and effectively.

    4. Risk monitoring and measurement. Monitor the risk environment on an ongoing basis and evaluate the performance of current risk response strategies.

     

    Most companies fail to complete all four steps. They typically identify risks, but fail to qualify or quantify those risks rigorously. Similarly, they determine ways to respond but don’t then measure the efficacy of their responses. Some 60 per cent of companies surveyed used informal approaches to determine the probability and impact of risks, and fewer than one-third had sophisticated measurement processes in place to evaluate the performance of their risk management strategies.

     

    Moreover, less mature companies tend to work in silos and have one-time or periodic approaches. For example, the risk mentioned most frequently by our interviewees was supplier bankruptcy. But although many companies use criteria related to financial health in their initial supplier selection, they lack defined processes for regularly reassessing suppliers and are only now taking action in response to the economic downturn. As an executive at a consumer durables company said: “We have become sloppy about re-evaluating our suppliers on a formal basis… but we’re planning to do a surprise audit programme in 2009.”

     

    This is a business imperative now  because the number of businesses filing for bankruptcy is expected to rise sharply. According to US statistics, bankruptcies rose by 42 per cent between 2007 and 2008 – the highest percentage change for 20 years, and before the current downturn really gathered pace. 

     

    Top performers, on the other hand, not only identify and respond to risks but also explicitly qualify and quantify them and regularly measure the efficacy of their response strategies. They use continuous, cross-functional processes that provide early warning signals. In many cases, these early warnings come from superior supplier monitoring or scorecard approaches that provide insight into how suppliers’ businesses are performing, such as understanding how new developments from other major customers may be affecting their business. This can supplement traditional measures such as tracking on-time order fulfilment and credit agency ratings.

     

    Organisation, resources and systems. Many companies lack people with enough experience in risk management. They also lack the systems and cross-functional linkages – including risk-related key performance indicators (KPIs), organisational reporting and relevant forums to discuss risk – required to identify and manage risks across the company. By contrast, mature purchasing risk managers engage with other functions as well as with suppliers. They have designated risk management resources as well as IT systems that capture relevant risk-related data. They also have established risk-related KPIs and visible roles on enterprise-level risk bodies.

     

    Our maturity model illustrates the evolution of the strategy, processes, organisation, resources and systems required to move from one level of risk management performance to another. Companies toward the right-hand side of the maturity framework make more money (lower total cost of ownership, fewer incidents resulting in lost revenue), have fewer surprises (early warning signals) and enjoy more options for value growth (collaboration with strategic suppliers). Using figure 3, CPOs can position their functions and companies against each of the organisational elements to assess the current level of performance, set risk management goals and identify the gaps to be filled.

     

    Protecting against the downside

     Whereas ad hoc responses and rough and ready approaches to risk management may have been enough in the past, increased uncertainty, frequency of incidence and severity of impact have all raised the value of having a disciplined and systematic approach to deal with purchasing-related risks. CPOs must ensure they are providing adequate protection against the downside; only then can they aspire to position their companies to benefit from the upside.

     

    Fully protecting against the downside requires achieving a solid level 3 performance. This entails building disciplined risk management (identification, qualification and quantification, response, monitoring and measurement) into the core work of purchasing staff and developing the rest of the organisational system to support the improvements in the process area. To start, we suggest the following steps:

     

    Prioritise the most important risks – and do it early

     

    A clear requirement for all CPOs is to identify the full range of purchasing-related risks and then prioritise those with the greatest potential impact for the company. This effort should be comprehensive and pragmatic (concentrating limited resources on the most important risks), systematic and analytical, and co-ordinated with existing enterprise-level risk management.

     

    Focusing at the level of the purchasing category is an appropriate starting point because existing teams, processes and data are typically structured around purchasing categories, and category-level purchasing strategies can easily be expanded to formally incorporate risk metrics alongside existing targets. Ideally, risk identification should start early in the product or service lifecycle.

     

    However, among our surveyed companies, only about half had even informal processes to identify risks during product or service design and engineering. For all companies, risk identification must become a routine part of core purchasing activities: supply market assessment, supplier selection, supplier monitoring and relationship management.

     

    Prioritisation should take place on two levels. First, prioritise purchasing categories through a rapid diagnosis across the entire purchasing portfolio, using a classic Kraljic matrix as a first step, followed by more detailed analysis of those categories in the “bottleneck” and “strategic” quadrants1..

     

    Once the high-priority purchasing categories have been determined, CPOs must further identify and prioritise specific risks within these categories. The key areas of potential impact in figure 1 provide a structured basis for developing an extensive list of the risks that may exist within a high-priority purchasing category.

     

    Consider risks that could have any of the following consequences:

    • Price: risks affecting the cost of inputs to products and services.

    • Total cost of ownership: risks affecting the costs surrounding the product or service, including transportation, logistics, inventory levels and other elements of working capital.

    • Current revenue sources: risks affecting revenue, through product unavailability, reduced product quality, and so on.

    • Future innovation value: risks to new product development owing to misguided development partner selection, poor strategic supplier relationship management, loss of intellectual property, and so on.

    • Overall viability: risks to corporate viability based on, for example, social responsibility issues or reputational harm.

     

    The next step is to qualify and quantify each risk. The assessment of probability and impact can then be used to create a final list of the most important risks requiring attention. Companies toward the left-hand side of the maturity framework will likely use mostly qualitative approaches, while their more advanced counterparts will develop quantitative metrics in a broad range of cases. In any case, across purchasing categories, risks and buyers, there should be a consistently rigorous approach to assessing probability and impact.

     

    Create a playbook of response strategies

     

    With prioritisation of risks complete, the challenge is to select the most effective responses for the company. Response strategies will vary greatly according to the specific risk, magnitude of purchasing spend, characteristics of the supply market, earnings or cash flow at risk, full portfolio of risks being managed, and company risk appetite. Formulating a response should be considered at two levels: at the individual risk level and for the portfolio of risks as a whole. Resource constraints will often not allow every risk to be fully mitigated or sometimes even mitigated at all. The key will be to select a set of responses that provides the optimal trade-off in terms of risk versus impact.

     

    More mature organisations will have a broader repertoire of responses enabled by greater cross-functional collaboration, deeper supplier relationships and integrated decision-making that permits more sophisticated ways of managing risk. For all companies, though, it is important to develop a “playbook” for the most likely or most powerful risks. This will often take the form of contingency planning, and needs to be undertaken in conjunction with suppliers.

     

    Develop a real-time system

     

    The last tactical step is to develop simple but effective risk monitoring systems, rather than observe impacts in a rear-view mirror. It is critical to monitor risk exposure at the right frequency. For some stable risks, such as contractual terms and conditions, this could be annually; for suppliers’ financial health, it may be monthly; for commodity prices, daily intelligence is the likely need. In some cases, developing the real-time system will require building or enhancing analytic capabilities, but generally the intent is to leverage existing processes and tools.

     

    Build the organisational infrastructure

     

    In parallel with implementing the process improvements noted above, CPOs should focus on two high-value organisational elements: defining a small number of risk-related KPIs to supplement existing cost-focused KPIs, and integrating risk metrics into organisational reporting structures.

     

    Given the truism that what gets measured gets managed, creating risk-related KPIs is particularly important. These can be measures from operating activities, supplier scorecards or day-to-day interactions between internal and external stakeholders (such as supplier facility visits), and with increasing maturity should become increasingly quantitative. For example, one measure could be the percentage of single-source suppliers for which contingency plans are in place. Among the executives we interviewed, only a small minority had implemented risk-related KPIs.

     

    Once the indicators are defined, CPOs should make them visible to top management and ensure that senior executives grasp the cost/risk trade-offs embedded in purchasing activities. In our survey, a surprisingly high proportion of senior managers and company executives lacked visibility into purchasing-related risks. CPOs should lobby to become integral members of any existing enterprise-level risk bodies; in organisations that have such bodies today, purchasing is formally involved just over half the time. As one purchasing executive noted: “We have a corporate risk management committee, but very few things in procurement go to this committee.”

     

    CPOs must ensure that “risk thinking” is incorporated into their purchasing teams’ day-to-day activities, and that all elements of the organisational system support a culture of risk awareness and management.

     

    [ Zoom ]
    figure 4

    Capturing the upside

    Once purchasing has achieved excellence in protecting against the downside, CPOs can begin to think about capturing the upside. The most important differentiator between organisations that solely manage the downside and those that also seek an upside is the time spent connecting risk with its impact on revenue growth and innovation. Purchasing departments with an upside mindset act as full partners in tackling company-level strategic challenges by using their activities and relationships with suppliers to contribute meaningfully to the total value delivered to customers today and in the future.

     

    With an upside mandate, purchasing must manage risks linked to selecting strategic partners with which to collaborate; structuring and overseeing relationships with those partners; creating win-win compensation models for fruitful collaboration; sharing product formulations and intellectual property; and upgrading supplier capabilities through joint initiatives. As a purchasing executive at a consumer durables firm told us: “We’ve already identified our core capabilities, so that from a strategic standpoint we are able to engage suppliers early in the new product development process, defining their value-add and using carefully crafted contracts to govern intellectual property issues.” 

     

    Fulfilling these new responsibilities represents a major shift in mindset, capabilities and organisation compared with those required to manage the downside. Making this shift requires purchasing leaders to have a thorough understanding of their company’s strategy, customers and operations. As purchasing strengthens working relationships with other internal actors, the function will need to build formal mechanisms to gain cross-functional consensus on key decisions involving purchasing-related risks.

     

    Our survey indicates that nearly one-third of manufacturing and R&D/engineering functions, and around 45 per cent of marketing, sales and customer service functions, play no role in managing key purchasing-related risks. Similarly, working on growth and innovation will require new types of suppliers, such as original equipment manufacturers or patent holders, and new modes of interaction with suppliers, such as joint development agreements or revenue-sharing arrangements. While these changes will enable new opportunities for the company, they will also introduce new types of risks. The purchasing organisation must evolve to manage both.

     

    *****

     

    As purchasing moves to take a greater role in company-level or enterprise risk management, the CPO and top management agendas will increasingly converge. CPOs must shift the nature of their relationships with the most senior executives to reflect this change. One effective way to do this is to craft a detailed plan for strengthening purchasing-related risk management that articulates a vision, highlights the financial benefits, and identifies the actions and investments required to implement this new model and broader role focusing on cost, risk and growth.

     

    To be clear, this is not a casual conversation with the CEO, but a formal business case built around real issues facing the company and a structured return on investment-based argument for change. Making the transition to both protecting the downside and delivering the upside will not be easy, but current economic conditions provide a unique opening. As one purchasing executive pointed out: “Unless there is a real crisis, there are no drivers of change for our purchasing organisation.”

     

    CPOs will face greater scrutiny and pressure to deliver as economic conditions worsen. With many companies now facing a prolonged period of increased risk and declining revenues, purchasing and purchasing-related risks have top management’s attention.

     

    The premium on low-risk cost reductions and new growth opportunities has never been greater. Purchasing should embrace the opportunity created by this turmoil to lead the development of an integrated view of purchasing-related risks and a co-ordinated set of actions to protect against the downside and create a tangible financial upside.  

     

    BRIEFING:

    About the research

    From October 2008 to January 2009, Oliver Wyman examined the purchasingrelated risk management practices of 150 companies through interviews with 63 senior executives and purchasing leaders, and an online survey of 87 companies.

     

    Respondent companies represented a wide range of geographies, industries and sales volumes:

    • Geographies: North America (43%), continental Europe (30%), UK (26%), other (1%)

    • Industries: Industrial products (45%), services, leisure and hospitality (26%), consumer products (24%), other (5%)

    • Annual sales: Less than $1bn (14%), $1bn-$5bn (32%), $10bn or more (27%)

      

     

    CASE STUDY:

    Stabilising a volatile situation

    In the chemicals industry, reaction vessels – where chemical reactions occur – play a critical role in the manufacturing process. Any problems with these vessels can disrupt production by lowering yields or causing unplanned stoppages. Because of their importance, vessels must meet regulatory requirements and stringent specifi cations, and are custom manufactured, requiring long lead times of up to one year.

     

    A leading European specialist chemicals company faced a number of operational risks related to this key purchasing category. In the early part of this decade, a combination of severe pricing pressure and lack of capital affected its vessel suppliers. Several went out of business, many switched their focus to diff erent markets, and others were forced to downsize, leading to a signifi cant reduction in technical capabilities.

     

    As a result, the quality of supplied vessels declined, causing major operational problems for its chemicals production. This led to an alarming rise in repair costs and production delays for the company, with one incident alone resulting in nearly €6 million of lost profit from unexpected service costs and forgone sales.In fact, the company calculated that a purchasing category with annual spend of less than €30 million placed nearly €10 million of profi t at risk per year. Faced with this persistent and costly risk, the company implemented a two-part response strategy.


    First, it modified its supplier selection criteria to factor in the risks of poor quality by incorporating feedback from day-to-day users, requiring greater disclosure of suppliers’ manufacturing and testing processes, and applying a total cost of ownership evaluation to compare suppliers.  Second, it implemented a continuous monitoring programme to audit suppliers and their quality controls.


    Since these processes have been implemented, there have been no major incidents and the costs avoided have already repaid most of the investment in new risk management processes and tools.

     

    Further reading

    1 Peter Kraljic, "Purchasing must become supply management", Harvard Business Review, September-October 1983

     

    For other CPO Agenda articles on risk management, click here

     

    Stephen Finch (stephen.finch@oliverwyman.com) and Ashley Hubka (ashley.hubka@oliverwyman.com) are partners at Oliver Wyman, an international management consultancy, based in London and Boston respectively. Gregory Kochersperger (gregory.kochersperger@oliverwyman.com) is a partner in the firm's Paris office and is head of its global value sourcing-led operations practice. The authors thank Laurent Guerry, Erica Nielsen, Elda Simonaska and Steve Won for their invaluable assistance in developing this article