http://www.gowerpublishing.

com/isbn/9780566092183

A Short Guide to
Procurement Risk

Richard Russill
 1 Procurement
and Risk – The
Big Picture

Procurement’s Place in the Business …

and the Need to Get It Right
Every business enterprise uses suppliers in one form or
another. It is inherent in the business model. One enlightened
CEO described her company’s business in this way: ‘we buy,
we transform and we sell.’ She added: ‘… and we need to be
equally good at all of that if our business is to be as successful
as possible.’ In other cases it might be more accurate to say
‘this is what we do and what we sell to our customers, and
we use external sources (of whatever) to make it possible to
do that.’ In the public sector, the equation could be expressed
as ‘we buy, we add value and we deliver.’ The point is that no
company or public sector organisation is an island. Resources
are needed at one end of the business just as customers are
required at the other.

Traditional procurement is no stranger to risk management,

witness any good company’s approach to contract terms and
conditions and supply planning. But things move on. Public


 1 A Short Guide to Procurement Risk

and private sector organisations have outsourced activities

previously conducted in-house; what were domestic supply
chains now span the globe in search of low cost sources; and
communications technologies have dramatically increased
the possibility and appetite for rapid, constant change …
whilst also rendering a company’s activities more transparent
and open to public scrutiny.

Despite this, most companies are so focused on managing the

people and assets employed in the business and on satisfying
their customers that they fail realise what is going on behind
them in their supply markets. And it is not all good news:

 Vulnerabilities in physical supply chains are poorly

understood and managed. This has been identified as one
of four emerging risk issues likely to impact in the years to
come. The recent capture by Somali pirates of a cargo ship
serves as a stark lesson that this is no theoretical forecast
and that the ‘unimaginable’ does happen. Increasing
supplier bankruptcies coming in the train of the economic
crisis only add to supply chain woes.

 High growth in the Chinese economy in 2007–08 drove

huge price increases in commodity raw materials along
with additional concerns about shortages of supplies for
Western economies. Freak weather conditions in Brazil
and India caused wholesale prices of sugar to hit a near
28-year high, up 80 per cent in 2009 alone. An expected
knock-on effect will be a global shortage of sweeteners as
big importers of sugar switch into them as a substitute.

 World Economic Forum Report, January 2008, ‘Global risks 2008’.


 Procurement and Risk – The Big Picture 1

 Although its supplier had breached a contract, a customer

company had to accept a court ruling in favour of the
supplier because the buyer had not exercised the contract’s
termination clause in a timely manner.

 The value of procurement fraud in the UK increased by

347 per cent during 2008.

 And truth continues to be stranger than fiction. Workers

at a recently bankrupted French company supplying the
car industry threatened to blow it up if their redundancy
compensation claims were not satisfied. ‘The gas bottles
are in the factory. Everything is ready to blow it up,’ said a
union representative.

Another company knew exactly what it was doing in its supply

market but was caught for manipulating supplier behaviour.
The computer chip manufacturer was found guilty of engaging
in illegal practices, one being to make payments to suppliers to
halt or delay the launch of products containing competitors’
components.

The view that supply chain vulnerability is an ongoing

concern is confirmed by the fact that Aon’s 2009 Global Risk
Management Survey includes supply chain failure in its Top
Ten most pressing risks around the world. Interestingly at
least half of the risks in the Top Ten can be directly related to
procurement activity, and hence would fall within the remit of

 Supply Management, 30 April 2009, ‘Use it or lose it’.

 Supply Management, 11 June 2009, ‘The pressure is on’.
 The Daily Telegraph, 14 July 2009. (The claim was settled without the
need for detonation!).
 Supply Management, 28 May 2009.
 insight.aon.com ‘The Definitive Report on Risk, 2009’.


 1 A Short Guide to Procurement Risk

Procurement Risk Management (PRM). One consequence of

this is that procurement risk has emerged as a comprehensive
topic in its own right rather than being a facet of specific but
fragmented procurement tasks. The benefit of this ‘promotion’
up management’s agenda is the requirement for more clarity
about what is ‘procurement risk’ and greater awareness that
risks can lurk in areas where traditionally they have not been
sought.

However, a comprehensive commercially aware approach to

procurement is not the norm. In its absence, organisations
experience one or more of the harming events listed in Box 1
and will under-perform, maybe not survive, as a consequence.
The impact of supply chain disruption on business performance
has seldom been better described than in Hendricks and
Singhal’s comprehensive, and sobering, study of its effect on
long-term shareholder value. To quote from their concluding
summary:

The evidence presented in this report makes a compelling

case that ignoring the risk of supply chain disruptions
can have serious negative economic consequences.
Based on a sample of more than 800 supply chain
disruption announcements, the evidence indicates that
firms that suffer supply chain disruptions experience
33 to 40 per cent lower stock returns relative to their
benchmarks, 13.5 per cent increase in share price
volatility, 107 per cent drop in operating income, 7
per cent lower sales growth, and 11 per cent increase
in costs. By any yardstick these are very significant

 In addition to supply chain failure the risks are: business interruption;

commodity price risk; damage to reputation, and cash flow/liquidity risk.
 Hendricks, K. and Singhal, V. 2005. The Effect of Supply Chain
Disruptions on Long-term Shareholder Value.


 Procurement and Risk – The Big Picture 1

economic losses. More importantly, firms do not quickly

recover from these losses. The evidence indicates that
firms continue to operate for at least two years at a
lower performance level after experiencing disruptions.
Given the significant economic losses, firms cannot
afford such disruptions even if they occur infrequently.

Box 1
What are the Risks of No
Procurement Risk Management?
• Profit, budgets, and cash flow are all hurt:

− substantial reductions in shareholder value occur

− need to maintain a far higher than necessary level of risk
capital

• Customers kept waiting or turned down.

• Helplessness in dealing with supplier price increases.

• Output prices forced up with loss of competitiveness.

• Poor supplier performance or, worse, allocation or loss of supply.

• Fragmentation and loss of procurement negotiating leverage.

• Legally unsound contracts heavily biased in suppliers’ favour.

• Unproductive use of human resources.

• Insufficient 'internal challenge’ of specifications and decision-

making.

• Decision-makers prey to the tactics of salespeople.

• Political embarrassment or damage to company image and

reputation.


 1 A Short Guide to Procurement Risk

• Vulnerable to internal and external fraud.

• Exploited and manipulated by monopolies, cartels and hostile

contractors.

• Supplier innovations passed to competitors.

• Beaten to the market by competitors with new products or services.

• Too quick or too late to market with own new offerings.

• Damage to brand and company reputation by unethical

behaviour or incompetence.

• Organisation is penalised for non-compliance with regulatory

requirements.

• Organisation’s activities become subject of public scrutiny and

investigation.

The ultimate goal of risk management is to protect and

enhance what the enterprise is primarily there to do. In the
private sector the aim is profitable survival. The public sector
equivalent is to deliver maximum service and organisational
effectiveness within the constraints of the resources provided
to do it. This includes money. But is the risk-catching net
being cast wide enough? Focusing on risks external to the
company tells only half the story. What is less well known is
that risk exposures also exist inside the company and can be
just as damaging.

Whilst excellent articles are written about PRM, the balance

of content trends in the direction of risk evaluation and
mitigation rather than something which is arguably even
more important, namely identifying risks at the outset. As one
Chief Procurement Officer (CPO) observed: ‘we are good at


 Procurement and Risk – The Big Picture 1

reacting to issues when they arise but not good at populating

our risk register in the first place.’

‘Playing with Fire’: The Elements of Procurement Risk

Management

Procurement Risk exists for an organisation ‘when supply

market behaviour, and the organisation’s dealings with
suppliers, create outcomes which harm company reputation,
capability, operational integrity and financial viability.’

The key word in this definition is ‘harm’. This requires

judgement, criteria, and maybe calculation, to decide if an
event is potentially harmless or harmful. It is also necessary
to distinguish between what is ‘at risk’ (that is, ‘exposed’) and
the possible event that does the damage. For example, the
company’s ability to meet delivery commitments is exposed
to the possibility of supply disruption or if a key supplier
becomes bankrupt. Recessions mean that suppliers shut down
production capacity to save overhead costs, which eventually
lead to shortages when the upturn comes. Suppliers use price
increases to ration supplies. Thus, financial performance and
the ability to meet budgets is now exposed to the significant
price increases that suppliers can impose when it is a seller’s
market.

In examining what was at risk, one public sector organisation

addressed the question ‘in what way could our work or existence
be harmed if untamed risks escaped to do us damage?’ Four
main exposures were identified:

1. reputation;

2. operational continuity;


 1 A Short Guide to Procurement Risk

3. financial viability;

4. being a target for litigation.

The need to be clear about ‘what is exposed’ arises because,

without it, it is difficult to work out what it is worth to
reduce or prevent a risk from occurring. For example, the
cost of a lost day of production is easily calculated. A possible
disruptive event might be a strike at the haulage company
that has the job of delivering production raw materials. The
strike could feasibly last for five days. The contingency plan
may be to hold a five-day stock of materials as insurance
against the possibility of the strike. The cost of this plan can
be compared with the cost of five days of lost production. If
the contingency plan costs less than the impact of the strike
then it makes sense to action the plan. An apparently cheaper
option would be to hold the supplier responsible for the costs
of non-delivery and seek to recover these afterwards. But this
is reactive, will involve a lot of work to get the money back,
and still leave a dissatisfied ultimate customer whose order
has not been fulfilled. These indirect costs must be added into
the total evaluation.

Another reason for taking pains to define exposures is that

it helps to identify potential disruptive events. The usual
approach is to say ‘here is a supply chain … what could go
wrong with it, and what would be the cost of the harm done?’
This convergent approach will identify possible events, but
not as many as will be revealed by divergent thinking. The
latter starts with an exposure … e.g. reputation … and then
imagines all the supply-related things that could happen to
tarnish it. ‘Our reputation is exposed to the actions of others
… how many things can we think of that will damage our
reputation if they happen?’

10
 Procurement and Risk – The Big Picture 1

The combination of an exposure and an event is an ‘impact’.

If disruptive events happen and the company is exposed as
previously mentioned, then the impacts are:

 tarnished reputation;

 interrupted day-to-day operations;

 spiralling costs;

 being sued.

Events actually have to happen to be harmful. But how likely

are they to occur? Sophisticated mathematics can be used to
estimate probability, but for most purposes ‘high, medium
or low’ will often suffice, although the case for slightly more
precision is made in Chapter 7. These terms can be quantified
as follows:

 high means ‘event will occur in most circumstances and

one event can be expected each year.’

 medium means ‘will probably occur at least once every five

years.’

 low means ‘not expected to occur in normal circumstances

and less than once in every five years.’

Finally, what can be done to mitigate an undesirable impact

caused by a high- or medium- probability event occurring?
A mitigating action will reduce, eliminate, or compensate
for the harm done and, in general, will involve either direct
or indemnity actions. Direct action will reduce or eliminate

11
 1 A Short Guide to Procurement Risk

the ‘at risk’ situation (e.g. by laying down some contingency

stockholding), whereas indemnity actions are designed to ‘let
harm happen’ but to provide compensation in the event (e.g.
taking out insurance to cover business continuity).

The different elements of being ‘At Risk’ can be connected as

follows:

Being ‘At Risk’ = Impact × Probability × No Mitigation

where Impact = Exposure × Event

Just as fire is extinguished when either fuel, or oxygen, or

temperature, is removed from a conflagration, so removing
or reducing one or more elements in the above equation
prevents being ‘at risk’. However, effective PRM does include
accepting some risks, with these situations being monitored
to avoid being caught out if things change. Other situations
can be left ‘at risk’ but contingency plans are ready should
risks materialise. And where real trouble lurks, urgent action
is required followed by regular audit.

Targeting PRM in the Risk Landscape

Many definitions of risk management exist but are often too

vague to be useful, such as ‘risk is the probability of incurring
loss or misfortune’. Most definitions focus only on the
possibility of a disruptive event, such as a break in the supply
chain, but what also matters is the failure to take advantage
of an opportunity from which the organisation could benefit.
This is recognised in the UK’s Office of Government Commerce

12
 Procurement and Risk – The Big Picture 1

(OGC) approach which defines risk as ‘uncertainty of outcome,

whether positive opportunity or negative impact.’

As stated earlier in this chapter, procurement risk exists for

an organisation ‘when supply market behaviour, and the
organisation’s dealings with suppliers, create outcomes which
harm company reputation, capability, operational integrity
and financial viability.’ This guide then defines Procurement
Risk Management (PRM) as ‘the name given to the measures
taken … including changes to behaviours, procedures and
controls … which remove procurement risks or reduce them
to what is considered to be an acceptable level.’

There are a number of pre-requisites for risk identification to

be effective. Two important ones are the already-discussed
need to link an event to an exposure to quantify its impact,
and the need for unbridled creativity in imagining potentially
disruptive events in the first place. A comprehensive search
for ‘at risk’ situations surveys five different landscapes where
risks may lurk:

 external dependencies (e.g. supply chain robustness,

supplier viability);

 market conditions and behaviours (e.g. competitive or

not; supply availability);

 procurement process;

 management controls;

 www.ogc.gov.uk ‘Achieving Excellence, Guide 4: Risk and Value

Management’.

13
 1 A Short Guide to Procurement Risk

 ability and agility to handle unexpected events.

External Dependencies concerns the reliance on supply

companies; their values and viability; performance, and the
durability of supply chains. Market Conditions and Behaviours
concerns the competitiveness or otherwise of supply markets;
supply availability; price trends and the regulatory context.
Procurement Process covers the way different people work
together in all decision-making and behaviours which affect
the customer’s dealings with suppliers. Management Controls
refers to the proper use of authority in the company; the
framework whereby it is delegated and the principles expected
to be employed. In effect this is the DNA of the procurement
process. And the Ability to Handle the Unexpected means just
what it says.

No one of the five risk landscapes is more important than

the others. Figure 1.1 shows the ‘Risk Catcher’ which keeps
the total risk management panorama in view, and the search
process comprehensive. Importantly, this integrated approach
encourages different risk specialists to come out of their silos of
operation. For example, ‘management controls’ is usually the
province of the company’s Chief Internal Auditor; ‘handling
the unexpected’ the concern of the Risk Director; and ‘external
dependencies’ the focus of the CPO. These three do not often
meet, but some joint risk catching gives them the reason to
do so. The result of a shared risk analysis will be superior to
the sum of its parts, with the bonus that non-procurement
people have their eyes opened to the risks and opportunities
presented by supply markets.

14
 Procurement and Risk – The Big Picture 1

Procurement Process
5

4.5

3.5

2.5

Management Control 1.5 External Dependencies

1

0.5

Market Conditions and

Handling the Unexpected
Behaviours

Figure 1.1 The ‘Risk Catcher’

In the next five chapters, each of these risk landscapes is

considered in more detail. We start with the subjects most often
written about, namely, a company’s dependence on external
supply chains and its exposure to hostile market conditions.
Then follow two less fashionable topics … ‘less fashionable’
only because little is written about them. This may reflect
the fact that they are not truly understood or that they are
not held to be important. The opposite is true. Procurement
Process and Management Controls are highly potent sources
of risk, and all the more so if believed to be not relevant. The
final topic deals with the occurrence of unexpected events
and how some people and companies are better than others
at handling them.

Each chapter provides examples of potential risks and what

the remedies look like. Whilst this is useful, there is the danger
that only the symptoms of problems will be fixed rather
than their root causes. Hence, once the more concerning ‘at
risk’ situations have been dealt with, it is important to make

15
 1 A Short Guide to Procurement Risk

further changes which create a working climate and culture

where PRM is a fact of day-to-day life rather than a specific
task only revisited when the risk register needs updating. Thus
the next five chapters also present the underlying principles
of risk prevention appropriate to each risk landscape. These
ensure a proactive approach to PRM where risks are less likely
to materialise and do harm, as distinct from reactive PRM
where disruptions are ‘allowed’ but where harm is prevented
by the safety net of contingency plans or by being quick on
one’s feet.

When done well, a high-performance risk-aware procurement

process provides the bonus of competitive advantage, with the
ability to capitalise, rather than suffer, from the occurrence of
unexpected events. This short guide explains how to do it. But
before delving further, it is necessary to take stock of where
an organisation currently stands vis-à-vis PRM best practice.
Box 2 offers the means of a first self-assessment.

Box 2
Procurement Risk Management:
Self-Assessment of PRM
Preparedness
Assess your company’s PRM-preparedness by testing
against the following criteria (1 = low, 5 = high)

Procurement Process
1. Procurement is non-existent as an identifiable defined process
in the company.
2. Procurement behaviour is streetwise and deal-oriented but with
little structure or functional influence.

16
 Procurement and Risk – The Big Picture 1

Internal IT systems offer visibility of the supply chain.

3. Procurement activity is procedures-oriented and focused on
internal customer service, albeit responsive to need.
Requisitions (timing and quantity) are driven by the company’s
daily operations’ planning system.
IT systems have basic supplier information feeds and basic risk
models are in place.
4. Procurement activity relies heavily on leverage and muscle-
power.
Requirements are defined by the planning system and/or by
commercially sensible considerations.
Decision-making is supported by analytical tools and an
effective information system infrastructure.
IT systems provide real-time feeds on the status of goods
within the supply chain.
5. Procurement is a core cross-company process integrated into
the company strategy and designed to maximise sustained
shareholder value. Comprehensive costed risk models are
maintained and frequently updated.

External Dependencies
1. Orders and contracts are ‘casual’ or ad hoc and are usually on
suppliers’ terms and conditions.
Purchases are often made by ‘non-purchasing people’ with
few, if any, records of transactions made.
2. All suppliers are treated the same way, although some get more
attention than others. Activity is ‘today’ orientated.
There is a legal basis for contracts placed.
3. Supply chains are generally understood and selective contracting
strategies are used.
Few, if any, contract loopholes exist and supplier performance
is monitored.

17
1 A Short Guide to Procurement Risk

4. Key supply chains are understood in detail. Supplier relationships

vary from ‘arms-length’ to ‘close collaboration’.
Vulnerability Analyses have been completed and contingency
plans are in place.
5. An active and productive Supplier Relationship Management
programme is in place. PRM is comprehensive.

Management Controls
1. Nothing is codified … all decisions and actions are ‘intuitive’
and/or require top level approval.
2. Basic business standards, principles and policies are defined.
A framework for Authority Delegation may exist but is most
likely to be out of date.
3. As 2 but the policies and authorities are regularly reviewed and
updated.
Specific controls are defined which relate to the procurement
process.
Functional authorities are clearly specified (in terms of purpose
and clarity).
4. As 3, plus authorities are substantial and reflect an empowered,
skilful culture.
Procurement emphasis is on acquiring best total return on
acquisition costs.
5. As 4, plus procurement policies are all-embracing (i.e. they
apply to all company personnel).

Market Conditions and Behaviours

1. The customer company (i.e. yours) generally feels helpless and
is glad to get what they can.
2. The customer company is vulnerable to supplier sales tactics.
Deals are the supplier’s standard offering, but may be
cosmetically enhanced to please the buyer.

18
 Procurement and Risk – The Big Picture 1

3. Market distortions are understood and effectively

counteracted.
Fundamental drivers of supply costs are understood and
trends are monitored.
4. Measures are in place which reflect awareness of the possibility
of fraud and unprincipled supplier behaviour.
5. For key requirements, strategies are in place to influence supply
markets and to elicit desired market responses (e.g. Reverse
Marketing).

Handling the Unexpected

1. We know that the unexpected can happen but we hope that it
won’t.
2. ‘Logical’ contingency plans are in place but tend to be specific
to a contract.
3. Comprehensive PRM is in place.
By definition this includes strategies and contingency plans
for all identified critical suppliers in terms of profit impact.
4. The company organisation exhibits the characteristics of High-
Performing Teams and is agile yet goal-oriented when addressing
unforeseen events.
IT systems monitor numerous aspects of the supply chain over
and above materials’ flow. Examples are supplier solvency and
natural catastrophe alerts relevant to the supply chain.
5. Not possible as no one can predict everything that might
happen! The gap between ‘4’ and ‘5’ represents the space for
the random event to materialise.

19
1 A Short Guide to Procurement Risk

Further Questions for Urgent

Attention
 How many of the undesirable events shown previously
in Box 1 do we experience and what are we doing about
them?

 Do we know which are our key supply chains and what

potential events they are vulnerable to?

 Have we specifically evaluated how our corporate strategies

and business plan can be helped or harmed by supply
market events?

 Do we have a systematic process for identifying and

evaluating procurement risks?

 Is our procurement process segmented into silos or does

it lean more towards being a continuum of parallel
operational and commercial activity?

20