It is often said that the starting point for every procurement function is knowing who your suppliers are and what they do.
Unfortunately, procurement and finance teams are often left without the ability to access this basic supplier information due to a lack of specialist procurement tools. You will often find team members performing tasks they are over-qualified for and having to make do working in shared folders and on spreadsheets, and consequently not spending enough time on alternative value-generating activities.
As most will know, the traditional manifestations of these problems are poorly negotiated agreements, lost opportunities and exposure to the risks of poor supplier performance. Over the last couple of years, regulatory scrutiny over the supply chain has increased significantly, and presented procurement professionals with a new challenge.
Legislation like the Modern Slavery Act (2015) and The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) stipulate that organisations are at the very least expected to have policy statements regarding their compliance. The knock-on effect is the responsibility of a buying organisation in turn to seek similar statements, and preferably detailed responses to questionnaires, from suppliers.
It is being suggested in some quarters that existing supplier contracts should be made GDPR compliant, with key issues flagged to suppliers and new clauses entered regarding data responsibility. There are various items in Article 28 of the act that cover what should go into the contract including data subject rights. Actions for those in a finance/procurement role include identifying a relevant contract (assuming you even have one, let alone can find it), assess the risk factors associated with that supplier and contract, and then engage suppliers and issue risk assessment questionnaires.
Supplier response rates to these requests are often far higher if a supplier can complete questionnaires and sign up to contract amendments with minimal effort, preferably via a supplier-facing web-based portal. Bear in mind there is no legal concept of “deemed acceptance” i.e. you can’t say ‘they didn’t respond to my questions but I tried to do my bit”.
Once the ‘first-pass’ on supplier data checks has been made, the process should move into one of continuous monitoring to check for exposure to reputational, compliance, financial and operational risks to your organisation. This should go beyond basic commercial credit checks to include news sites, government data, disaster information systems, and possibly many other public and private data sources.
If a buying organisation can demonstrate that it has started down the path of, if not yet fully on top of, supplier engagement and risk management, then any audit is likely to look more favourably on the company. It’s important to note that you can’t really do much in the field of true risk assessment until you have got to grips with your basic supplier records. Until you have the basics of supplier management understood and deployed, you can’t effectively mitigate risk
